{
 "cells": [
  {
   "cell_type": "markdown",
   "id": "W2Oju7u_Fuw8",
   "metadata": {
    "id": "W2Oju7u_Fuw8"
   },
   "source": [
    "# TRAM-LLM, Multi-label\n",
    "\n",
    "[![image](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/center-for-threat-informed-defense/tram/blob/main/user_notebooks/predict_multi_label.ipynb)\n",
    "\n",
    "This notebook allows one to apply the multi-label SciBERT model for TRAM.\n",
    "\n",
    "To start, first select `Runtime > Change runtime type`, and under `Hardware accelerator` select `GPU`. Then run the next two cells. The first cell will download the model and the Python dependencies. The second cell will load the model and set up the selectors."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "46QlB4CxCH5g",
   "metadata": {
    "colab": {
     "base_uri": "https://localhost:8080/",
     "height": 1000
    },
    "executionInfo": {
     "elapsed": 33135,
     "status": "ok",
     "timestamp": 1689378800750,
     "user": {
      "displayName": "tram",
      "userId": "11961082670110789134"
     },
     "user_tz": 240
    },
    "id": "46QlB4CxCH5g",
    "outputId": "cc4dcf88-6e39-45ac-c4a7-9106e38ee061"
   },
   "outputs": [],
   "source": [
    "!mkdir scibert_multi_label_model\n",
    "!wget https://ctidtram.blob.core.windows.net/tram-models/multi-label-20230803/config.json -O scibert_multi_label_model/config.json\n",
    "!wget https://ctidtram.blob.core.windows.net/tram-models/multi-label-20230803/pytorch_model.bin -O scibert_multi_label_model/pytorch_model.bin\n",
    "!pip install torch transformers pandas python-docx pdfplumber bs4"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "52836ad6-5001-4b72-824e-4795a596ac08",
   "metadata": {
    "colab": {
     "base_uri": "https://localhost:8080/",
     "height": 141,
     "referenced_widgets": [
      "f572b5925804434ba930673033b9cd22",
      "a0daf61775094d08b57392a22a065668",
      "74965934b984462fb2496f31515fa78b",
      "65d33d5c7fb14434b09bc3edfe650d29",
      "9265f08085c14a33ac4e0ad3ef0d7cd6",
      "f0882d8483a4491ca93887a28d172cf1",
      "97e6cfd7c49a46a5a1dcc6f810c3972d",
      "498a84fba75b4cfda8874a6ff569721d",
      "8ae20efd21214242a6b421ce8412d0df",
      "adcde6e91c784415b48e3d57a384a55f",
      "8ab2949cffca4b57916b0e3ffee0d690",
      "3115f30f09cb4f8b800cc921f7497922"
     ]
    },
    "executionInfo": {
     "elapsed": 1792,
     "status": "ok",
     "timestamp": 1689378989210,
     "user": {
      "displayName": "tram",
      "userId": "11961082670110789134"
     },
     "user_tz": 240
    },
    "id": "52836ad6-5001-4b72-824e-4795a596ac08",
    "outputId": "6b8a50c5-6274-4ae7-e22d-2eb6484fc29c"
   },
   "outputs": [],
   "source": [
    "import transformers\n",
    "import torch\n",
    "import pandas as pd\n",
    "\n",
    "pd.set_option('display.max_columns', None)\n",
    "pd.set_option('display.max_rows', None)\n",
    "pd.set_option('display.max_colwidth', None)\n",
    "\n",
    "device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')\n",
    "\n",
    "bert = transformers.BertForSequenceClassification.from_pretrained('scibert_multi_label_model').to(device).eval()\n",
    "tokenizer = transformers.BertTokenizer.from_pretrained('allenai/scibert_scivocab_uncased')\n",
    "\n",
    "import pandas as pd\n",
    "from tqdm import tqdm\n",
    "\n",
    "CLASSES = (\n",
    "    'T1003.001', 'T1005', 'T1012', 'T1016', 'T1021.001', 'T1027',\n",
    "    'T1033', 'T1036.005', 'T1041', 'T1047', 'T1053.005', 'T1055',\n",
    "    'T1056.001', 'T1057', 'T1059.003', 'T1068', 'T1070.004',\n",
    "    'T1071.001', 'T1072', 'T1074.001', 'T1078', 'T1082', 'T1083',\n",
    "    'T1090', 'T1095', 'T1105', 'T1106', 'T1110', 'T1112', 'T1113',\n",
    "    'T1140', 'T1190', 'T1204.002', 'T1210', 'T1218.011', 'T1219',\n",
    "    'T1484.001', 'T1518.001', 'T1543.003', 'T1547.001', 'T1548.002',\n",
    "    'T1552.001', 'T1557.001', 'T1562.001', 'T1564.001', 'T1566.001',\n",
    "    'T1569.002', 'T1570', 'T1573.001', 'T1574.002'\n",
    ")\n",
    "\n",
    "ID_TO_NAME = {\"T1055\": \"Process Injection\", \"T1110\": \"Brute Force\", \"T1055.004\": \"Asynchronous Procedure Call\", \"T1047\": \"Windows Management Instrumentation\", \"T1078\": \"Valid Accounts\", \"T1140\": \"Deobfuscate/Decode Files or Information\", \"T1016\": \"System Network Configuration Discovery\", \"T1057\": \"Process Discovery\", \"T1078.004\": \"Cloud Accounts\", \"T1518.001\": \"Security Software Discovery\", \"T1090.001\": \"Internal Proxy\", \"T1078.001\": \"Default Accounts\", \"T1071.001\": \"Web Protocols\", \"T1082\": \"System Information Discovery\", \"T1110.003\": \"Password Spraying\", \"T1484.001\": \"Group Policy Modification\", \"T1106\": \"Native API\", \"T1027.008\": \"Stripped Payloads\", \"T1548.002\": \"Bypass User Account Control\", \"T1105\": \"Ingress Tool Transfer\", \"T1033\": \"System Owner/User Discovery\", \"T1569.002\": \"Service Execution\", \"T1566.001\": \"Spearphishing Attachment\", \"T1059.003\": \"Windows Command Shell\", \"T1053.005\": \"Scheduled Task\", \"T1547.001\": \"Registry Run Keys / Startup Folder\", \"T1041\": \"Exfiltration Over C2 Channel\", \"T1210\": \"Exploitation of Remote Services\", \"T1005\": \"Data from Local System\", \"T1219\": \"Remote Access Software\", \"T1552.001\": \"Credentials In Files\", \"T1068\": \"Exploitation for Privilege Escalation\", \"T1543.003\": \"Windows Service\", \"T1570\": \"Lateral Tool Transfer\", \"T1027\": \"Obfuscated Files or Information\", \"T1113\": \"Screen Capture\", \"T1078.003\": \"Local Accounts\", \"T1012\": \"Query Registry\", \"T1055.002\": \"Portable Executable Injection\", \"T1573.001\": \"Symmetric Cryptography\", \"T1055.001\": \"Dynamic-link Library Injection\", \"T1072\": \"Software Deployment Tools\", \"T1027.001\": \"Binary Padding\", \"T1190\": \"Exploit Public-Facing Application\", \"T1218.011\": \"Rundll32\", \"T1090.003\": \"Multi-hop Proxy\", \"T1055.012\": \"Process Hollowing\", \"T1056.001\": \"Keylogging\", \"T1055.008\": \"Ptrace System Calls\", \"T1204.002\": \"Malicious File\", \"T1083\": \"File and Directory Discovery\", \"T1070.004\": \"File Deletion\", \"T1110.004\": \"Credential Stuffing\", \"T1036.005\": \"Match Legitimate Name or Location\", \"T1574.002\": \"DLL Side-Loading\", \"T1090\": \"Proxy\", \"T1027.003\": \"Steganography\", \"T1027.007\": \"Dynamic API Resolution\", \"T1074.001\": \"Local Data Staging\", \"T1090.002\": \"External Proxy\", \"T1564.001\": \"Hidden Files and Directories\", \"T1021.001\": \"Remote Desktop Protocol\", \"T1112\": \"Modify Registry\", \"T1027.005\": \"Indicator Removal from Tools\", \"T1003.001\": \"LSASS Memory\", \"T1027.002\": \"Software Packing\", \"T1090.004\": \"Domain Fronting\", \"T1562.001\": \"Disable or Modify Tools\", \"T1027.006\": \"HTML Smuggling\", \"T1095\": \"Non-Application Layer Protocol\", \"T1027.009\": \"Embedded Payloads\", \"T1078.002\": \"Domain Accounts\"}\n",
    "\n",
    "def create_subsequences(document: str, n: int = 13, stride: int = 5) -> list[str]:\n",
    "    words = document.split()\n",
    "    subsequences = [' '.join(words[i:i+n]) for i in range(0, len(words), stride)]\n",
    "    return subsequences\n",
    "\n",
    "def predict_document(document: str, threshold: float = 0.5, n: int = 13, stride: int = 5):\n",
    "    text_instances = create_subsequences(document, n, stride)\n",
    "    tokenized_instances = tokenizer(text_instances, return_tensors='pt', padding='max_length', truncation=True, max_length=512).input_ids\n",
    "\n",
    "    predictions = []\n",
    "    batch_size = 10\n",
    "    slice_starts = tqdm(list(range(0, tokenized_instances.shape[0], batch_size)))\n",
    "\n",
    "    with torch.no_grad():\n",
    "        for i in slice_starts:\n",
    "            x = tokenized_instances[i : i + batch_size].to(device)\n",
    "            out = bert(x, attention_mask=x.ne(tokenizer.pad_token_id).to(int))\n",
    "            predictions.extend(out.logits.sigmoid().to('cpu'))\n",
    "\n",
    "    probabilities = pd.DataFrame(\n",
    "        torch.vstack(predictions),\n",
    "        columns=CLASSES,\n",
    "        index=text_instances\n",
    "    )\n",
    "\n",
    "    result: list[tuple[str, set[str]]] = [\n",
    "        (text, {ID_TO_NAME[k] + ' - ' + k for k, v in clses.items() if v})\n",
    "        for text, clses in\n",
    "        probabilities.gt(threshold).T.to_dict().items()\n",
    "    ]\n",
    "\n",
    "    result_iter = iter(result)\n",
    "    current_text, current_labels = next(result_iter)\n",
    "    overlap = n_selector.value - stride_selector.value\n",
    "    out = []\n",
    "\n",
    "    for text, labels in result_iter:\n",
    "        if labels != current_labels:\n",
    "            out.append((current_text, current_labels))\n",
    "            current_text = text\n",
    "            current_labels = labels\n",
    "            continue\n",
    "        current_text += ' ' + ' '.join(text.split()[overlap:])\n",
    "\n",
    "    out_df = pd.DataFrame(out)\n",
    "    out_df.columns = ['segment', 'label(s)']\n",
    "    return out_df\n",
    "\n",
    "import io\n",
    "import re\n",
    "import pdfplumber\n",
    "import docx\n",
    "from bs4 import BeautifulSoup\n",
    "\n",
    "def parse_text(file_name: str, content: io.BytesIO) -> str:\n",
    "    if file_name.endswith('.pdf'):\n",
    "        with pdfplumber.open(content) as pdf:\n",
    "            text = \" \".join(page.extract_text() for page in pdf.pages)\n",
    "    elif file_name.endswith('.html'):\n",
    "        text = BeautifulSoup(content.read().decode('utf-8'), features=\"html.parser\").get_text()\n",
    "    elif file_name.endswith('.txt'):\n",
    "        text = content.read().decode('utf-8')\n",
    "    elif file_name.endswith('.docx'):\n",
    "        text = \" \".join(paragraph.text for paragraph in docx.Document(content).paragraphs)\n",
    "\n",
    "    cleaned_text = re.sub(r'\\s+', ' ', text).strip()\n",
    "    return cleaned_text\n",
    "\n",
    "from ipywidgets import FileUpload\n",
    "from IPython.display import display\n",
    "\n",
    "upload = FileUpload(multiple=True)\n",
    "\n",
    "from itertools import count\n",
    "COUNT = count(1)\n",
    "\n",
    "import ipywidgets as widgets\n",
    "n_selector = widgets.BoundedIntText(value=13, min=0, step=1, description='n value:', disabled=False)\n",
    "stride_selector = widgets.BoundedIntText(value=5, min=0, step=1, description='stride size:', disabled=False)\n",
    "threshold_selector = widgets.BoundedFloatText(value=0.9, min=0, step=0.1, description='probability:', disabled=False)\n",
    "display(upload, n_selector, stride_selector, threshold_selector)"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "c6cd2a2d-634e-4e9e-90a0-51d397fd38d3",
   "metadata": {
    "id": "c6cd2a2d-634e-4e9e-90a0-51d397fd38d3"
   },
   "source": [
    "Use the above button to select one or more PDF, HTML, Word, or txt files to upload.\n",
    "\n",
    "You can use the default values for n, the stride size, and the probability threshold, or set your own.\n",
    "\n",
    "- The **n value** is the number of words to include in each segment.\n",
    "- The **stride size** is the number of words apart each ngram should start. This needs to be less than the n value, or some words will be skipped\n",
    "- The **probability** is the threshold for the model. Setting a lower probability means getting more predictions, but with a lower level of confidence. If the threshold is less than 0.5, you can potentially get two predictions (or three if it's less than 0.33, etc.).\n",
    "\n",
    "When you have uploaded the files and selected the parameters, run the next cell to extract text from the files, create the ngrams, and apply the model. The results will be written to the file indicated by `output_file_name`, which you can modify."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 5,
   "id": "0c8f33d8-9c48-4cc7-a48c-807f88ad20b7",
   "metadata": {
    "colab": {
     "base_uri": "https://localhost:8080/",
     "height": 1000
    },
    "executionInfo": {
     "elapsed": 51928,
     "status": "ok",
     "timestamp": 1689379064942,
     "user": {
      "displayName": "tram",
      "userId": "11961082670110789134"
     },
     "user_tz": 240
    },
    "id": "0c8f33d8-9c48-4cc7-a48c-807f88ad20b7",
    "outputId": "069bd67e-13e4-48ad-bf4b-c7fcd7568f65"
   },
   "outputs": [
    {
     "name": "stderr",
     "output_type": "stream",
     "text": [
      "100%|██████████| 149/149 [00:48<00:00,  3.06it/s]\n",
      "<ipython-input-4-a9d231601b49>:59: UserWarning: DataFrame columns are not unique, some columns will be omitted.\n",
      "  probabilities.gt(threshold).T.to_dict().items()\n"
     ]
    },
    {
     "data": {
      "text/html": [
       "\n",
       "\n",
       "  <div id=\"df-14e07b41-0ee8-4c5e-867a-8730a05e4353\">\n",
       "    <div class=\"colab-df-container\">\n",
       "      <div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>segment</th>\n",
       "      <th>label(s)</th>\n",
       "      <th>name</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>ADVANCED ANALYTICS Analysis Results of Zeus.Variant.Panda Luca Ebach Analysis Report. June 22, 2017 G DATA Advanced Analytics GmbH G DATA Campus · Königsallee 178 D-44799 Bochum, Germany Contents 1 Introduction 2 2 Overview 3 2.1 General Information . . . . . . . . . . . . . . . . . . . . 3 2.2 Execution Flow . . . . . . . . . . . . . 4 3 Anti-Detection and Anti-Reverse-Engineering Techniques 6 3.1 Malware Startup Checks . . . . . . . . 6 3.1.1 Debug support . . . . . . . . . . . . . . 6 3.1.2 Language checks . . . . . . . . 6 3.1.3 Anti analysis check . . . . . . . . . . . . 6 3.2 Windows API Imports . . . . . . . . . 10 3.3 Crypted Strings . . . . . . . . . . . . . 10 3.4 Cryptography . . . . . . . . . 11 3.4.1 Random Numbers . . . . . . . . . . . . 11 3.4.2 Cryptography . . . . . . . . . . . . . . . 11 3.4.3 Hashing . . . . . . . . 12 4 Configuration 13 4.1 Bot ID . . . . . . . . 13 4.2 Configuration . . . . . . . . . . . . . . 13 4.2.1 Base Config . . . . . . . . . . . 13 4.2.2 Local Config (PeSettings) . . . . . . . . 14 4.2.3 Dynamic Config . . . . . . . . . . . . . 15 4.2.4 Local Settings. . . . . . . . . . 17 4.3 Bot Update . . . . . . . . . . . . . . . 18 4.4 Configuration Update . . . . . . . . . . . . . . 18 5 Payload and Persistence 20 5.1 Persistence . . . . . . . . . . 20 5.2 HTTP Grabber and Injector. . . . . . . . . .</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>. . . . . . . . . 20 5.3 Process Injection</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>. . . . 20 5.3 Process Injection . . . . .</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>5.3 Process Injection . . . . . . . . . .</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>. . . . . . . . . . 22 5.4 API Hooking Technique . . . . . . . . 22 5.5 Hooks and Browser Manipulation . . . . . . . . . . . . . 22 5.5.1 Internet Explorer . . . . . . . . . . . . . 23 5.5.2 Mozilla Firefox . . . . . . . . . . . . . . 25 5.5.3 Google Chrome . . . . . . . . . . . . . . 25 5.5.4 User Functions . . . . . . . . . 26 Contents 1 5.6 Plug-in ability. . . . . . . . . . . . . . 26 5.7 Webfilters . . . . . . . . . . . 27 5.8 Remote Script. . . . . . . . . 27 5.9 System Report . . . . . . . . . . . . . 29 6 Conclusion 30 1 Introduction Aside from ransomware attacks, banking trojans are also a very dangerous type of mal- ware. They do not have destructive behaviour in the first place, so their presence on a victim’s system might not be detected for quite an amount of time if the victim has no proper antivirus product installed. Since Panda is possibly among the most dangerous familiesofbankingtrojans, wedecidedtodoacomprehensiveanalysisofarecentsample of Panda. In this paper we focus on the analysis of the binary part of a Zeus.Panda malware sample. Foradetailedanalysisoftheactualwebinjectbehaviourandthecommunication flow between infected machines and the automatic transfer system’s server, please refer 1 2 to our blogposts by Manuel Körber-Bilgard and Karsten Tellmann. 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 2 Overview 2.1 General Information The original Zeus banking trojan’s source code was leaked in 2011 and since then several independent threat actors have used the source code as a basis for new variants of the malware. One of the most prolific and advanced of these variants is the Zeus.Panda banking trojan which we will analyse in this white paper. Zeus.Panda targets Windows operating systems from WinXP through Windows 10 and is typically spread through phishing mail campaigns, but proliferation through drive-by exploits has been seen. The sample analyzed in this whitepaper is: MD5 Packed: e005c4009c22e0f73fcdaeba99bd0075 Unpacked: 655f65b1b08621dfcb2603b59fca05bc SHA1 Packed: 6f5c186baa0d69799c250769052236b8bcfb13a1 Unpacked: 88782d3b74067d405e56f0a5e9b92e3fdb77dcd8 SHA256 Packed: d037723b90acb9d5a283d54b833e171e913f6fa7f44dd6d996d0cecae9595d0b Unpacked: bd956b2e81731874995b9b92e20f75dbf67ac5f12f9daa194525e1b673c7f83c Size</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>5</th>\n",
       "      <td>Unpacked: 88782d3b74067d405e56f0a5e9b92e3fdb77dcd8 SHA256 Packed: d037723b90acb9d5a283d54b833e171e913f6fa7f44dd6d996d0cecae9595d0b Unpacked: bd956b2e81731874995b9b92e20f75dbf67ac5f12f9daa194525e1b673c7f83c Size Packed: 252 KB Unpacked: 140 KB Number of Functions 538 IOCs (Filesystem) Panda tries to</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>6</th>\n",
       "      <td>of Functions 538 IOCs (Filesystem) Panda tries to find a directory underneath %APPDATA%\\Roaming that ∙ is empty, ∙ has a path that is at least 140 characters long, ∙ does not contain either of microsoft or firefox, and ∙ is as deep in the directory tree as possible In our analysis environment, Panda ended up in %APPDATA%\\Roaming\\Sun\\Java. Inthedirectory,Pandacreatesfourfileswithrandomfileextensions. Wediscovered 2.2 Execution Flow 4 Desktop (create shortcut).exe(malwareexecutable),Control Panel.cyd(dy- namicconfigfile,section4.2.3),Desktop.ysq(reportfile,section5.9),andNotepad.kix (localconfig file, section 4.2.2). IOCs (Registry) Aside from writing some</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>7</th>\n",
       "      <td>section 4.2.2). IOCs (Registry) Aside from writing some files to disk, Panda also</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>8</th>\n",
       "      <td>from writing some files to disk, Panda also uses some registry keys to store data. AlltheregistrykeysusedbyPandaarelocatedintheHKCU\\Software\\Microsoft key. The names of the keys are</td>\n",
       "      <td>{Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>9</th>\n",
       "      <td>AlltheregistrykeysusedbyPandaarelocatedintheHKCU\\Software\\Microsoft key. The names of the keys are random and in our system we observed Ivoc (reg- DynamicConfig), Kounhu (regLocalConfig), and Useglugy (regLocalSettings). See section 4.2.2 for a more detailed description of the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>10</th>\n",
       "      <td>4.2.2 for a more detailed description of the configuration. Additionally, PandacreatesanewentrywithintheHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key which is used to start the malware as soon as</td>\n",
       "      <td>{Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>11</th>\n",
       "      <td>used to start the malware as soon as the infected user logs into its account. IOCs (other) Internally, Panda uses several mutexes and events to synchronize between the controlling process and the client instances in the browsers. The names of these objects are fixed on the local system but are different for any other system. Al- though, the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>12</th>\n",
       "      <td>different for any other system. Al- though, the names are 32-character hexadecimal strings</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>13</th>\n",
       "      <td>Al- though, the names are 32-character hexadecimal strings in either case. Example: 4A0000002571569EA477E09F768C1A07 2.2 Execution Flow Figure 2.1 gives an overview of the control flow of Zeus.Panda. Each step will be de- scribed in detail in the coming chapters. 2.2 Execution Flow 5 Figure 2.1: Control flow of the malware executable. 3 Anti-Detection and Anti-Reverse-Engineering Techniques 3.1 Malware Startup Checks Before installing the malware executable in the victim’s system, Panda performs several checks to verify that it runs in a sane environment. 3.1.1 Debug support The first check verifies the integrity of a .dbg file. If the file is present on the file system, ithasthesamenameastheexecutable. The.dbgfilecontainsencryptedJSONdata3.4 of the form { \"data\": \"[data]\", \"sign\": \"[signature]\" } Afterreadingthecontentofthefile,PandahashesthedatapartoftheJSONobjectus- ing SHA1</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>14</th>\n",
       "      <td>\"data\": \"[data]\", \"sign\": \"[signature]\" } Afterreadingthecontentofthefile,PandahashesthedatapartoftheJSONobjectus- ing SHA1 through the Windows Crypt API. Afterwards, it uses CryptVerifySignature to check the calculated hash against</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>15</th>\n",
       "      <td>uses CryptVerifySignature to check the calculated hash against the content of the sign field using a static public key from the executable. If the signature is not valid, Panda removes itself from the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>16</th>\n",
       "      <td>is not valid, Panda removes itself from the system. If the signature check</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>17</th>\n",
       "      <td>itself from the system. If the signature check is passed, Panda will bypass the subsequent anti-analysis code. 3.1.2 Language checks Once the debug support check is passed, Panda</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>18</th>\n",
       "      <td>Once the debug support check is passed, Panda checks the current keyboard layout</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>19</th>\n",
       "      <td>is passed, Panda checks the current keyboard layout against a predefined list of layouts. In the sample I analyzed, the list contained 0x419, 0x422, 0x423, 0x43f which stand for russian, ukrainian, belarusian, and kazakh, respec- tively. If either of those matches the current keyboard layout, Panda removes itself from the victim’s PC. 3.1.3 Anti analysis check The last step of the pre-run checks is a rather long list of checks for debug and analysis tools. Some of these tools are antiquated such as SoftIce where support stopped long before Windows XP which is the least recent operating system supported by Panda. Other of the tools such as IDA Pro and Immunity Debugger remain popular tools with 3.1 Malware Startup Checks 7 malware analysts. If any of these tools are present Panda aborts execution and removes itself. To identify analysis tools Panda uses four different types of tests: file use CreateFile with OPEN_EXISTING flag to check if a file/device exists mutex use OpenMutex to try to open an existing mutex running process useCreateToolhelp32Snapshottogetthelistofcurrentlyrunningprocesssesand check if any of them contains</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>20</th>\n",
       "      <td>process useCreateToolhelp32Snapshottogetthelistofcurrentlyrunningprocesssesand check if any of them contains a given string registry key useRegOpenKeytocheckifaregistrykeyexistsor checkaregistrykeyifitcontains a given value Thefulllistcontainschecksfor23toolsandisshowninthetableattheendofthesection. If either of those</td>\n",
       "      <td>{Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>21</th>\n",
       "      <td>a given value Thefulllistcontainschecksfor23toolsandisshowninthetableattheendofthesection. If either of those tests fails, Panda stops to</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>22</th>\n",
       "      <td>either of those tests fails, Panda stops to installing and removes itself from the system. Although, these checks can be skipped using -f</td>\n",
       "      <td>{File Deletion - T1070.004}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>23</th>\n",
       "      <td>Although, these checks can be skipped using -f as a command line parameter at the start of the malware. aut2exe process aut2exe running</td>\n",
       "      <td>{Windows Command Shell - T1059.003}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>24</th>\n",
       "      <td>start of the malware. aut2exe process aut2exe running Bochs registry key HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion contains BOCHS Execute file C:\\\\execute.exe exists</td>\n",
       "      <td>{Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>25</th>\n",
       "      <td>key HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion contains BOCHS Execute file C:\\\\execute.exe exists Frz mutex with name Frz_State exists IDA Pro process idaq running ImmunityDBG process immunity running Perl process perl running PopupKiller file C:\\popupkiller.exe exists prl One of: 3.1 Malware Startup Checks 8 ∙ file \\\\.\\prl_pv exists ∙ file \\\\.\\prl_tg exists ∙ file \\\\.\\prl_time exists ProcessExplorer process procexp running ProcessMonitor process procmon running ProcessHacker process processhacker running Python process python running Regshot process regshot running Sandboxie One of: ∙ SbieDll.dll can be loaded by LoadLibraryA ∙ mutex Sandboxie_SingleInstanceMutex_Control exists SoftICE One of: ∙ file \\\\.\\SICE exists ∙ file \\\\.\\SIWVID exists ∙ file \\\\.\\SIWDEBUG exists ∙ file \\\\.\\NTICE exists ∙ file \\\\.\\REGVXG exists ∙ file \\\\.\\FILEVXG exists ∙ file \\\\.\\REGSYS exists ∙ file \\\\.\\FILEM exists ∙ file \\\\.\\TRW exists ∙ file \\\\.\\ICEXT exists Stimulator file C:\\stimulator.exe exists VirtualBox One of: 3.1 Malware Startup Checks 9 ∙ file \\\\.\\VBoxGuest exists ∙ file \\\\.\\VBoxMouse exists ∙ file \\\\.\\VBoxVideo exists ∙ file \\\\.\\VBoxMiniRdrDN exists ∙ file \\\\.\\VBoxMiniRdDN exists ∙ file \\\\.\\VBoxTrayIPC exists ∙ registry key HKLM\\SOFTWARE\\Oracle\\VirtualBox</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>26</th>\n",
       "      <td>∙ file \\\\.\\VBoxTrayIPC exists ∙ registry key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions exists ∙ registry key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ exists VirtualPC One</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>27</th>\n",
       "      <td>exists ∙ registry key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ exists VirtualPC One of: ∙ mutex MicrosoftVirtualPC7UserServiceMakeSureWe’reTheOnlyOneMutex exists</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>28</th>\n",
       "      <td>exists VirtualPC One of: ∙ mutex MicrosoftVirtualPC7UserServiceMakeSureWe’reTheOnlyOneMutex exists ∙ file \\\\.\\VirtualMachineServices exists VMware</td>\n",
       "      <td>{Windows Service - T1543.003}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>29</th>\n",
       "      <td>mutex MicrosoftVirtualPC7UserServiceMakeSureWe’reTheOnlyOneMutex exists ∙ file \\\\.\\VirtualMachineServices exists VMware One of: ∙ file \\\\.\\HGFS exists ∙ file \\\\.\\vmci exists</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>30</th>\n",
       "      <td>∙ file \\\\.\\HGFS exists ∙ file \\\\.\\vmci exists ∙ registry key HKLM\\SOFTWARE\\VMware Inc.\\VMware Tools exists Wine One of:</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>31</th>\n",
       "      <td>key HKLM\\SOFTWARE\\VMware Inc.\\VMware Tools exists Wine One of: ∙ kernel32.dll contains ”wine_get_unix_file_name\" function ∙ registry key HKLM\\Software\\WINE exists</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>32</th>\n",
       "      <td>contains ”wine_get_unix_file_name\" function ∙ registry key HKLM\\Software\\WINE exists ∙ registry key HKCU\\Software\\WINE exists</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>33</th>\n",
       "      <td>key HKLM\\Software\\WINE exists ∙ registry key HKCU\\Software\\WINE exists Wireshark One of: ∙ file \\\\.\\NPF_NdisWanIp exists ∙ process wireshark running Hypervisor One of: ∙ check if hypervisor bit of CPU is set ∙ file</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>34</th>\n",
       "      <td>hypervisor bit of CPU is set ∙ file \\\\.\\VmGenerationCounter exists 3.2 Windows API Imports 10 Function Resolve(Module, FunctionID)</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>35</th>\n",
       "      <td>3.2 Windows API Imports 10 Function Resolve(Module, FunctionID) { For exportName in Module.Exports { If (CRC32(exportName) == FunctionID) { Return AddressOfFunction(exportName) } } } Function Import(ModuleID, FunctionID) { If (FunctionID not in cache) { Module := DecryptName(ModuleID) If (Module is not loaded) {</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>36</th>\n",
       "      <td>:= DecryptName(ModuleID) If (Module is not loaded) { LoadLibrary(Module) } cache[functionID] := Resolve(Module,</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>37</th>\n",
       "      <td>not loaded) { LoadLibrary(Module) } cache[functionID] := Resolve(Module, FunctionID) } Return cache[functionID] } Listing 3.1: Pseudocode describing the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>38</th>\n",
       "      <td>Return cache[functionID] } Listing 3.1: Pseudocode describing the implementation of the Windows API import function. 3.2 Windows API Imports To harden itself against</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>39</th>\n",
       "      <td>3.2 Windows API Imports To harden itself against static analysis, Panda avoids importing</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>40</th>\n",
       "      <td>harden itself against static analysis, Panda avoids importing Windows API functions directly. Instead, it uses LoadLibrary and parses the export directory of libraries.</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>41</th>\n",
       "      <td>LoadLibrary and parses the export directory of libraries. It creates a CRC32 hash of each export name and compares it to a hardcoded CRC32 of the name of the desired import. If the two match, the function address from the export directory of the library is used. In case of forwarded exports Panda reverts to import the function</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>42</th>\n",
       "      <td>forwarded exports Panda reverts to import the function by using the GetProcAddress API. A simplified pseudo code of the import function is shown in listing 3.1. The actual</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>43</th>\n",
       "      <td>function is shown in listing 3.1. The actual implementation is a bit more complicated, but this should give an overview of how it works. There are exceptions however. It seems that some imports are, by accident, left in the binary. Fortunately, this includes functions like LoadLibrary and GetProcAddress</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>44</th>\n",
       "      <td>Fortunately, this includes functions like LoadLibrary and GetProcAddress which lowered the difficulty of</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>45</th>\n",
       "      <td>LoadLibrary and GetProcAddress which lowered the difficulty of the static analysis since we were able to determine the import function shortly after the start of the analysis. Also, calls to the Heap* func- tions (Alloc, Free, ReAlloc, Create, Destroy) and also a single call to Sleep are not imported using the custom import functions. 3.3 Crypted Strings Most strings an analyst might come across during the analysis process are encrypted. This hinders an analyst from using strings to determine the purpose of some functions. 3.4 Cryptography 11 struct cryptEntry { char key; char unused; short length; const char*</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>46</th>\n",
       "      <td>char key; char unused; short length; const char* data; } Listing 3.2: The</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>47</th>\n",
       "      <td>length; const char* data; } Listing 3.2: The layout of an entry in</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>48</th>\n",
       "      <td>Listing 3.2: The layout of an entry in the list of encrypted strings.</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>49</th>\n",
       "      <td>an entry in the list of encrypted strings. Panda decrypts the strings on the fly whenever a string</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>50</th>\n",
       "      <td>the strings on the fly whenever a string is needed. The decryption routine for the i-th string is rather simple: 𝑜𝑢𝑡𝑝𝑢𝑡[𝑝𝑜𝑠] = 𝑝𝑜𝑠⊕𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑑𝑎𝑡𝑎[𝑝𝑜𝑠]⊕∼𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑘𝑒𝑦</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>51</th>\n",
       "      <td>i-th string is rather simple: 𝑜𝑢𝑡𝑝𝑢𝑡[𝑝𝑜𝑠] = 𝑝𝑜𝑠⊕𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑑𝑎𝑡𝑎[𝑝𝑜𝑠]⊕∼𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑘𝑒𝑦 All encrypted strings are referenced</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>52</th>\n",
       "      <td>𝑜𝑢𝑡𝑝𝑢𝑡[𝑝𝑜𝑠] = 𝑝𝑜𝑠⊕𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑑𝑎𝑡𝑎[𝑝𝑜𝑠]⊕∼𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑘𝑒𝑦 All encrypted strings are referenced in a large static array</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>53</th>\n",
       "      <td>strings are referenced in a large static array of structures in the read- only section of the binary. Each entry is a structure of type cryptEntry (see listing 3.2) which consists of the key character, the length of the encrpyted string, and a</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>54</th>\n",
       "      <td>the length of the encrpyted string, and a pointer to the actual encrypted</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>55</th>\n",
       "      <td>string, and a pointer to the actual encrypted string. The decryption function then takes the index of the</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>56</th>\n",
       "      <td>decryption function then takes the index of the to-be- decrypted string in the array of structs, extracts the</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>57</th>\n",
       "      <td>string in the array of structs, extracts the key, length, and string pointer</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>58</th>\n",
       "      <td>structs, extracts the key, length, and string pointer from it and than decrypts the strings into a given buffer. Depending on how this</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>59</th>\n",
       "      <td>into a given buffer. Depending on how this function is used, it either</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>60</th>\n",
       "      <td>on how this function is used, it either decrypts the strings onto the stack (if the function is</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>61</th>\n",
       "      <td>strings onto the stack (if the function is directly called) or the string</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>62</th>\n",
       "      <td>the function is directly called) or the string is encrypted into the heap if any of the intermediate</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>63</th>\n",
       "      <td>into the heap if any of the intermediate function is called. During the analysis we used the IDAPython plugin idaemu (frontend for UnicornEngine for use in IDA Pro) to emulate the encryption function for all possible string indexes and annotated the IDA database accordingly. 3.4 Cryptography 3.4.1 Random Numbers InsteadofusingWinAPIfunctionstogeneraterandomnumbers,PandausestheMersenne Twister MT 19937 to generate random numbers. Panda</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>64</th>\n",
       "      <td>Twister MT 19937 to generate random numbers. Panda provides internal API functions to generate single numbers or buffers with support for upper and</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>65</th>\n",
       "      <td>numbers or buffers with support for upper and lower bounds for the numbers. 3.4.2 Cryptography Additionally, Panda uses a set of cryptographic algorithms to encrypt and hash sensitive data to prevent analysis and manipulation of the data. For example, Panda encrypts almost all settings and configuration values in memory. The algorithms used are AES and RC4. Both of them are used either with a hardcoded or with a dynamic key (which isgeneratedduringthefirstrunofthemalware). Interestingly, bothAESandRC4share the same dynamic binary key material. RC4 (static key) ∙ parts of the basic</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>66</th>\n",
       "      <td>RC4 (static key) ∙ parts of the basic config that are double encrypted 3.4 Cryptography 12 ∙ PeSettings in the extended file attributes</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>67</th>\n",
       "      <td>12 ∙ PeSettings in the extended file attributes of the malware executable (see sec- tion 4.2.2) ∙ object name generation (RC4 is used for scrambling there, no cryptographic</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>68</th>\n",
       "      <td>(RC4 is used for scrambling there, no cryptographic purpose) ∙ encrypted data in</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>69</th>\n",
       "      <td>there, no cryptographic purpose) ∙ encrypted data in dynamic config (e.g. backconnect IPs</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>70</th>\n",
       "      <td>encrypted data in dynamic config (e.g. backconnect IPs and ports for Vnc and</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>71</th>\n",
       "      <td>(e.g. backconnect IPs and ports for Vnc and Socks) RC4 (dynamic key) ∙ local settings (see section 4.2.4)</td>\n",
       "      <td>{Remote Desktop Protocol - T1021.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>72</th>\n",
       "      <td>(dynamic key) ∙ local settings (see section 4.2.4) ∙ report data that is temporarily stored on disk until it is submitted to the command-and-control server AES (static key)</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>73</th>\n",
       "      <td>submitted to the command-and-control server AES (static key) ∙ base config decryption (see</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>74</th>\n",
       "      <td>AES (static key) ∙ base config decryption (see section 4.2.1) ∙ internal public</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>75</th>\n",
       "      <td>config decryption (see section 4.2.1) ∙ internal public key decryption ∙ decryption of delay-loaded binary modules ∙ communication with command-and-control server AES (dynamic</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>76</th>\n",
       "      <td>modules ∙ communication with command-and-control server AES (dynamic key) ∙ registry data (dynamic config, local config; see section 4.2.3 and 4.2.2) 3.4.3 Hashing</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>77</th>\n",
       "      <td>config; see section 4.2.3 and 4.2.2) 3.4.3 Hashing Aside from encrypting data, Panda also uses some cryptographic hash functions. SHA256 ∙ DGA hostname generation (see section 4.4) ∙ bot ID (see section 4.1) ∙ object name generation ∙ integrity check of AES encrypted data sent by the command-and-control</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>78</th>\n",
       "      <td>of AES encrypted data sent by the command-and-control server SHA1 ∙ signature verification</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>79</th>\n",
       "      <td>by the command-and-control server SHA1 ∙ signature verification of the binary module data sent by the command-and- control server 4 Configuration 4.1 Bot ID To be able to track and control each malware instance in the botnet, Panda generates a unique bot id. The bot id is a 32-byte hex string that can</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>80</th>\n",
       "      <td>id is a 32-byte hex string that can be described as 𝐵𝑜𝑡𝐼𝐷 ←</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>81</th>\n",
       "      <td>string that can be described as 𝐵𝑜𝑡𝐼𝐷 ← 𝐻𝑒𝑥𝑆𝑡𝑟𝑖𝑛𝑔(𝑆𝐻𝐴256(𝑐𝑜𝑚𝑝𝑢𝑡𝑒𝑟𝑁𝑎𝑚𝑒||𝑖𝑛𝑠𝑡𝑎𝑙𝑙𝐷𝑎𝑡𝑒||𝑝𝑟𝑜𝑑𝑢𝑐𝑡𝐼𝑑||𝑣𝑒𝑟𝑠𝑖𝑜𝑛𝐼𝑛𝑓𝑜)) where computerName local computer name, fallback to ”unknown” if error in GetComputerNameW installDate contentofregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\InstallDate productId CRC32sumofthecontentoftheregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\DigitalProductId; fallback to 0 if failed getting key value versionInfo CRC32 sum of OSVERSIONINFOEXW where everything from (and including) szCS- DVersion is zeroed out (szCSDVersion, wServicePackMajor, wServicePackMinor, wSuiteMask,wProductType,wReserved);fallbacktoCRC32sumof sizeof(OSVERSIONINFOEXW) zeroes Apart from identifying the bot, the bot id is also used as part of the algorithm that generates kernel object names (mutexes, window class names, event names, etc). 4.2 Configuration Panda uses three different types of configurations: base, local, and dynamic. Each type of config has its own special purpose and is not available through static analysis – except for the base config. 4.2.1 Base Config Fortheinitialconfigurationandthefirstconnectionstothecommand-and-controlserver, Panda contains a static base config with default settings for the most important confi- guration values. This includes the following values: 4.2 Configuration 14 dwDelayConfig delay in minutes how long to wait until malware starts to get the initial dynamic config dwRc4KeyLength length of the binary RC4 key szwDGAConfigUrls list of URLs suffixes</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>82</th>\n",
       "      <td>binary RC4 key szwDGAConfigUrls list of URLs suffixes for the DGA (see section</td>\n",
       "      <td>{Remote Desktop Protocol - T1021.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>83</th>\n",
       "      <td>of URLs suffixes for the DGA (see section 4.4) rc4Key binary RC4 key,</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>84</th>\n",
       "      <td>DGA (see section 4.4) rc4Key binary RC4 key, used to encrypt the PeSettings dwDGAConfigUrlsLength length of szwDGAConfigUrls szwInitialCnCHosts</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>85</th>\n",
       "      <td>encrypt the PeSettings dwDGAConfigUrlsLength length of szwDGAConfigUrls szwInitialCnCHosts an encrypted, null-separated list of</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>86</th>\n",
       "      <td>of szwDGAConfigUrls szwInitialCnCHosts an encrypted, null-separated list of strings for initial command-and-control do-</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>87</th>\n",
       "      <td>null-separated list of strings for initial command-and-control do- mains dwWaitAfterProcessInfection delay in minutes how long to wait for the core process to be initialized dwCnCUrlCount number of command-and-control domains in szwInitialCncHosts dwCheckConfigDelay delay in minutes for next dynamic config check 4.2.2 Local Config (PeSettings) The local config the data that is shared by all instances of the Panda malware on the local system and is generated only once at the first start of the malware and is then persisted in the malware executable using Extended File Attributes. The values of the PeSettings structure are as follows: dwStructSize the size of the structure szwBotId the ID of the bot that is used to identify the client against the backend server (see section 4.1) guid theGUIDofthelocalsystem; ifthemalwareisexecutedagainafterthefirststart,it recalculatestheguidandchecksifitmatchestheonefromthePeSettings. Ifthisis not the case, Panda aborts its execution. This can be used to check if the malware wasmovedtoanotherPCafteritwasstartedonce(e.g. copyingapersistedsample 4.2 Configuration 15 of the malware from a victim’s computer to an analysis environment of a malware analyst) rc4BinKey this RC4 key is</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>88</th>\n",
       "      <td>a malware analyst) rc4BinKey this RC4 key is used to encrypt all data</td>\n",
       "      <td>{Modify Registry - T1112, Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>89</th>\n",
       "      <td>RC4 key is used to encrypt all data that goes to the registry</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>90</th>\n",
       "      <td>encrypt all data that goes to the registry keys (e.g. a backup of</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>91</th>\n",
       "      <td>to the registry keys (e.g. a backup of the currently used dynamic config)</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>92</th>\n",
       "      <td>a backup of the currently used dynamic config) dwInfectionId a random number identifying the current infection szwCoreFile, szwReportFile, szwDynConfigFile, szwLocalConfigFile files on the local filesystem; szwCoreFile is the name of the malware executable; szwReportFile contains the path to the file where Panda temporarily stores the report data until they are sent to the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>93</th>\n",
       "      <td>report data until they are sent to the server; szwDynConfigFile points to the file where the dynamic config</td>\n",
       "      <td>{Exfiltration Over C2 Channel - T1041}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>94</th>\n",
       "      <td>points to the file where the dynamic config is backed up on the filesystem; szwLocalConfigFile contains the file where the local config is</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>95</th>\n",
       "      <td>contains the file where the local config is stored regKey a random registry key name regDynamicConfig thenameoftheregistrykeythatcontainsthebackupofthecurrentdynamicconfig regLocalConfig</td>\n",
       "      <td>{Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>96</th>\n",
       "      <td>a random registry key name regDynamicConfig thenameoftheregistrykeythatcontainsthebackupofthecurrentdynamicconfig regLocalConfig the name of the registry key containing a backup of</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>97</th>\n",
       "      <td>of the registry key containing a backup of the local PeSettings regLocalSettings the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>98</th>\n",
       "      <td>a backup of the local PeSettings regLocalSettings the name of the registry key</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>99</th>\n",
       "      <td>PeSettings regLocalSettings the name of the registry key that is used to store</td>\n",
       "      <td>{Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>100</th>\n",
       "      <td>the registry key that is used to store the local settings into (e.g. IDs of socks and VNC modules) 4.2.3 Dynamic Config ThefirstthingPandadoesafterinitializingandinjectingintoitsrun-timehostprocessis</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>101</th>\n",
       "      <td>socks and VNC modules) 4.2.3 Dynamic Config ThefirstthingPandadoesafterinitializingandinjectingintoitsrun-timehostprocessis to download a dynamic config from its command-and-control server. This</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>102</th>\n",
       "      <td>a dynamic config from its command-and-control server. This configuration is created by the command-and-control server on demand and can change at any time. This allows the malware operator to maintain his control capabillity even in the event that the static configured command and control server is shut down. But especially the dynamic configuration is interesting for malware analysts because it contains the URLs and/or IP addresses of the ATS server(s). Panda uses its built-in JSON parser to parse the dynamic configuration. The malware makes use of the following values: created the creation date of the config; used to check if the downloaded one is newer than the local one botnet the name of the botnet the client is part of 4.2 Configuration 16 check_config time in seconds when to check for the next dynamic config send_report time in seconds when to send the next system report check_update time in seconds when to check for the next client update url_config the url from where to download the next dynamic config url_webinjects the url from where to download the webinjects url_update the url for the bot update url_plugin_vnc32 the url for the VNC32 module url_plugin_vnc64 the url for the VNC64 module url_plugin_vnc_backserver the URL/IP address where the VNC module should connect to url_plugin_grabber the url for the http grabber module url_plugin_backsocks the url for the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>103</th>\n",
       "      <td>http grabber module url_plugin_backsocks the url for the backconnect socks proxy module url_plugin_backsocks_backserver the URL/IP address where the socks backconnect proxy should connect to reserved encrypted data, from the context of the use</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>104</th>\n",
       "      <td>encrypted data, from the context of the use of the data it seems that this is a list of fallback URLs for the download of the dynamic config (see section 4.4) grabber_pause time in minutes how long to wait until starting the grabber module There are some additional configuration values that can be provided which are not directly used by the sample, but probably used in one of the modules: grab_softlist/grab_pass/grab_form/grab_cert/grab_cookie/grab_del_cookie/grab_del_cache flags denoting whether the grabber module should grab specific data or to delete some data (cookies, cache)</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>105</th>\n",
       "      <td>data or to delete some data (cookies, cache) 4.2 Configuration 17 dgaconfigs the</td>\n",
       "      <td>{File Deletion - T1070.004, Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>106</th>\n",
       "      <td>data (cookies, cache) 4.2 Configuration 17 dgaconfigs the url for the DGA config file; the DGA config file contains a list of URL suffixes which are appended to a generated string from where the bot will try to</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>107</th>\n",
       "      <td>string from where the bot will try to download the next dynamic configuration</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>108</th>\n",
       "      <td>will try to download the next dynamic configuration webfilters a list of URL masks where Panda can take special actions (see section 5.7) webinjects URLs, payloads, and location descriptions for the webinjects 4.2.4 Local Settings Additionally, Panda stores some run-time settings in a structure called LocalSettings by themalwareauthors. Thesesettingsarenotmeanttocontrolthebehaviourofthebot,it is more like a temporary data store of values that are client specific and need to be kept even after the malware is restarted (e.g. because of a system reboot). The structure contains the following values: dwModuleStartFlags bitmap denoting which of the modules has been started dwGrabberFlags bitmap denoting</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>109</th>\n",
       "      <td>the modules has been started dwGrabberFlags bitmap denoting which of the http grabber features has been enabled dwPandaAntivirusFound set to 1 if Panda</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>110</th>\n",
       "      <td>been enabled dwPandaAntivirusFound set to 1 if Panda Antivirus was found, changes the behaviour of the bot update dwHashSet bitmap denoting which of the hashes has been set szConfigId,szWebinjectsId,szUpdateId,szGrabberId,szVnc32Id,szVnc64Id,szBack- socksId 65-byte buffers to store the hashes of the respective files/modules dwCurrentUrlIdx the index of the currently used update URL in the list fallback URLs dwUrlRetryCount the retry count of the URL specified by dwCurrentUrlIdx; maximum value is set in the base config wBacksocksBackserverPort the port of the server</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>111</th>\n",
       "      <td>base config wBacksocksBackserverPort the port of the server of the backconnect socks proxy wVncBackserverPort the port of the server of the backconnect vnc</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>112</th>\n",
       "      <td>port of the server of the backconnect vnc module 4.3 Bot Update 18 4.3 Bot Update Oncepersistedinthevictim’ssystem,Pandaisabletoupdatethemalwareexecutableby itsown. Intheusualcase,Pandathereforedownloadsthenewexecutabletoatemporary file. The file is located in the directory returned by GetTempPathW. The name of the file is of the form updXXXXXXXX.exe where XXXXXXXX is the hexadecimal representation of a 4-byte random number. After writing the file and applying the PeSettings to the Extended File Attributes, the ”update” is executed using CreateProcessW with -f as an argument flag. This triggers the ”update” functionality of the bot so that all necessary settings are copied over to the new executable. In the case of having Panda Antivirus present in the system, Panda overwrites the old malware executable in place and directly copies over the local settings instead of creating and executing a temporary file. 4.4 Configuration Update One of the first things Panda does after initializing itself and persisting in the system</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>113</th>\n",
       "      <td>after initializing itself and persisting in the system is to download a dynamic configuration from the command-and-control server. To do so, Panda’s base</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>114</th>\n",
       "      <td>the command-and-control server. To do so, Panda’s base configuration (see section 4.2.1) contains a list of URLs from where to get the initial dynamic configuration. If the command-and-control server is already taken down at the time of checking, Panda cannot download a dynamic configuration and fails to exfiltrate any information. It still hooks all functions and gathers data</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>115</th>\n",
       "      <td>It still hooks all functions and gathers data (keystrokes, etc) but these information will never leave the system</td>\n",
       "      <td>{Keylogging - T1056.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>116</th>\n",
       "      <td>but these information will never leave the system until the bot is able</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>117</th>\n",
       "      <td>leave the system until the bot is able to download a (new) dynamic</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>118</th>\n",
       "      <td>bot is able to download a (new) dynamic configuration. The download routine for</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>119</th>\n",
       "      <td>a (new) dynamic configuration. The download routine for the dynamic configuration uses three different ways to get a</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>120</th>\n",
       "      <td>configuration uses three different ways to get a dynamic configuration. First, it tries to get a dynamic configuration file from the URL provided in url_config in the old dynamic config. Of course, this only works if Panda already received a dynamic config once. If it did not receive a dynamic config at that point, it tries to get a configuration file from each of the command-and-control domains of the base config. In case Panda is not able to download the dynamic config using the URL from the url_config field and the fallback command-and-control hosts (the malware allows for 5 failed retries for each of the domains), Panda takes</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>121</th>\n",
       "      <td>retries for each of the domains), Panda takes the encrypted data from the</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>122</th>\n",
       "      <td>domains), Panda takes the encrypted data from the reserved field, decrypts it, and</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>123</th>\n",
       "      <td>data from the reserved field, decrypts it, and tries to download a dynamic config from one of the</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>124</th>\n",
       "      <td>download a dynamic config from one of the URLs of that data. If Panda is still not able to get a dynamic config at that point, it uses a domain generation algorithm to generate a possible hostname. Therefore, it takes the current system timestamp and modifies it a way that it stays the same for three days (set msec, sec, minute, hour to zero and subtract (𝑑𝑎𝑦𝑂𝑓𝑀𝑜𝑛𝑡ℎ mod 3) * 𝑠𝑒𝑐𝑠𝑃𝑒𝑟𝐷𝑎𝑦 seconds from it). Then, Panda takes the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>125</th>\n",
       "      <td>𝑠𝑒𝑐𝑠𝑃𝑒𝑟𝐷𝑎𝑦 seconds from it). Then, Panda takes the built-in RC4 key to initialize</td>\n",
       "      <td>{Remote Desktop Protocol - T1021.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>126</th>\n",
       "      <td>Panda takes the built-in RC4 key to initialize a RC4 state and xores the timestamp onto it (first 8 bytes xor with plain timestamp, second 8 bytes with binary inverted timestamp) and calculates</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>127</th>\n",
       "      <td>8 bytes with binary inverted timestamp) and calculates the SHA256 sum of the</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>128</th>\n",
       "      <td>timestamp) and calculates the SHA256 sum of the RC4 state. The result is then converted to a hex</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>129</th>\n",
       "      <td>The result is then converted to a hex string and is used as</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>130</th>\n",
       "      <td>to a hex string and is used as the first part of the generated domain. The 4.4 Configuration Update 19 second part of the domain is one of the domain suffixes from the base config and looks like ”XX.tld/filename.ext” for the sample I analyzed. But the suffix can change and is not bound to any special requirements except for that it needs to make a valid domain from the generated name. 5 Payload and Persistence 5.1 Persistence As part of the initialization procedure, Panda tries to persist in the following manner: First, it finds a suitable folder for the malware executable to reside in. In our case, it chose %APPDATA%\\Sun\\Java. It then moved the malware executable from the desktop to that folder and renamed it to Desktop (Create Shortcut).exe. Panda also creates threeextrafileswithrandomfileextensionswhichwillbelaterusedtotemporarilystore data. After moving the malware executable to the new folder, Panda adds a new value</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>131</th>\n",
       "      <td>the new folder, Panda adds a new value to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key.This en- sures that the malware is executed each time the</td>\n",
       "      <td>{Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>132</th>\n",
       "      <td>that the malware is executed each time the infected user logs into the system. Additionally, it writes the initial PeSettings to Desktop (Create Shortcut).exe (see section 4.2.2). 5.2</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>133</th>\n",
       "      <td>to Desktop (Create Shortcut).exe (see section 4.2.2). 5.2 HTTP Grabber and Injector Since</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>134</th>\n",
       "      <td>section 4.2.2). 5.2 HTTP Grabber and Injector Since Panda is a banking trojan, its main purpose is to steal money from a victim’s bank account and to grab login credentials for the bank accounts (and possibly other web services) wherever possible. A crucial part of its activity therefore is to intercept the web traffic of the victim’s web browser(s) and to manipulate the content of the web page that is displayed in the browser. In order to achieve these goals Panda uses process</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>135</th>\n",
       "      <td>order to achieve these goals Panda uses process injection (section 5.3) and API</td>\n",
       "      <td>{Native API - T1106, Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>136</th>\n",
       "      <td>Panda uses process injection (section 5.3) and API hooking (section 5.4). To know</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>137</th>\n",
       "      <td>5.3) and API hooking (section 5.4). To know which web pages should be manipulated, Panda receives a list of URL masks and corresponding inject data. The inject data</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>138</th>\n",
       "      <td>masks and corresponding inject data. The inject data consist of the actual inject</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>139</th>\n",
       "      <td>The inject data consist of the actual inject (script inclusion from attacker-controlled web server) and a description of the position where the inject</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>140</th>\n",
       "      <td>a description of the position where the inject has to be placed in</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>141</th>\n",
       "      <td>where the inject has to be placed in the website. The included script is actually only a loader that loads the second stage</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>142</th>\n",
       "      <td>only a loader that loads the second stage of the inject which then</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>143</th>\n",
       "      <td>the second stage of the inject which then communicates with the Panda web backend and does further modifications to the web page. But there is a problem: today’s web browser implement a feature called content- security policy. With (one of) the CSP header(s) sent by the web server, a website owner can tell the browser in detail, from where to load e.g. additional JavaScript code. Correctly configured, this hinders Panda to retrieve the second stage loader because it is loaded from a different web server. But since Panda is a man-in-the-browser malware, it can remove those headers from the server response and the browser will retrieve the loader. Additionally,PandaremovestheTEandIf-Modified-Sinceheadersfromtherequest if the hijacked process is either Firefox or Chrome. This has two implications: web 5.2 HTTP Grabber and Injector 21 servers will never send responses that have another transfer encoding than chunked (or no transfer encoding at all) and the server will always send a response that contains a</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>144</th>\n",
       "      <td>will always send a response that contains a HTTP response body. If Panda</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>145</th>\n",
       "      <td>that contains a HTTP response body. If Panda would not remove the If-Modified-Since header, a web server might send a response with a 304 status code and no response body content. Usually, this instructs the browser to use a cached version of the web page because the pagecontentdidnotchangesincethelastrequest(thetimeofthelastrequestisspecified intheIf-Modified-Sinceheaderfield). ButsincePandainterceptswebtrafficbetween the raw socket and the handling of the browser, it cannot inject the malicious code into the response body because the web server never sent some. So, Panda must ensure that the web server sends a response body to be able to execute its injects. This can be achieved by removing the If-Modified-Since header and thereby simulating a fresh request to the web server. Another thing Panda needs to take care of is Accept-Encodings. If the web server sends encoded data (e.g. gzip’ed),</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>146</th>\n",
       "      <td>the web server sends encoded data (e.g. gzip’ed), Panda will need to decode</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>147</th>\n",
       "      <td>data (e.g. gzip’ed), Panda will need to decode it to be able to analyze the response and maybe</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>148</th>\n",
       "      <td>be able to analyze the response and maybe inject code. To avoid this, Panda simply changes (or adds) the Accept-Encoding request header to contain only identity which tells the web server to only send plain responses without any encoding at all. SincePandausesURLmaskstodetectwhichpagesitshouldinjectcodeinto, itmight happenthatthemasksmatchpagesthatdonotcontainvalidHTMLdata(e.g. pictures, documents). In order to avoid those files, Panda checks the server response for specific Content-Types. Only if a valid content type is specified in the response header Panda</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>149</th>\n",
       "      <td>type is specified in the response header Panda tries to find injection points in the data. Valid content</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>150</th>\n",
       "      <td>find injection points in the data. Valid content types are: ∙ text/ ∙ application/x-javascript ∙ application/javascript ∙ application/xml ∙ application/xhtml+xml ∙ application/octet-stream ∙ application/json Panda does not only inject data into web pages, it already grabs data at that point. If Panda finds any Authentication headers in the request, it checks for basic authentication and extracts username and password from it and adds it to the report. Additionally, Panda can extract all request data from GET and POST requests and reports them to the command-and-control server. For a more detailed analysis on how the actual webinjects work and what the com- munication with the ATS looks like, please see our blogposts by Manuel Körber-Bilgard 1 2 and Karsten Tellmann 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 5.3 Process Injection 22 5.3 Process Injection To apply its hooks, Panda needs to be part of each specific process space it wants to hook the functions in. In order to inject itself into the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>151</th>\n",
       "      <td>in. In order to inject itself into the right process, Panda checks if</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>152</th>\n",
       "      <td>itself into the right process, Panda checks if the current targeted process fulfills some requirements: ∙ targeted process id ̸= current process id</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>153</th>\n",
       "      <td>∙ targeted process id ̸= current process id (→ avoid injecting into its own process) ∙ targeted process owner = current process owner</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>154</th>\n",
       "      <td>∙ targeted process owner = current process owner (→ avoid permission violation) ∙ the targeted process name must be one of: firefox.exe, chrome.exe, iexplore.exe, panda.exe, MicrosoftEdge.exe, or MicrosoftEdgeCP.exe If all of those requirements</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>155</th>\n",
       "      <td>MicrosoftEdge.exe, or MicrosoftEdgeCP.exe If all of those requirements are given, Panda injects itself into the process. This is done by allocating a virtual</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>156</th>\n",
       "      <td>process. This is done by allocating a virtual memory buffer of sufficient size in the target process using VirtualAllocEx. It then needs to relocate the copied binary because the old module base is most probably not the same it is in the remote one. If the relocation succeeded, Pandawritesitselfintothatfreshlyallocatedmemorysection. Afterwards, Pandacopies over run-time data that has been modified by the infecting process during initialization and which is needed</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>157</th>\n",
       "      <td>infecting process during initialization and which is needed by the injected code. After Panda successfully wrote all data into the address space of</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>158</th>\n",
       "      <td>wrote all data into the address space of the targeted process, it creates a thread in this process. The thread continues to install the hooks and all execute all other necessary functions. 5.4</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>159</th>\n",
       "      <td>and all execute all other necessary functions. 5.4 API Hooking Technique Asdescribedinsections5.5.1,5.5.2,5.5.3,and5.5.4,Pandausesahot-patchlikefunction overriding method to hook its desired</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>160</th>\n",
       "      <td>Technique Asdescribedinsections5.5.1,5.5.2,5.5.3,and5.5.4,Pandausesahot-patchlikefunction overriding method to hook its desired functions. Therefore, Panda overwrites the first 5 bytesofthefunctiontocontainajumptoitshookfunction. BecausePandaneedstocall the original function after doing its work in the hook function, it saves the overwritten instructions in a temporary buffer. For this purpose Panda has a</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>161</th>\n",
       "      <td>temporary buffer. For this purpose Panda has a built-in instruction length decoder. It</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>162</th>\n",
       "      <td>Panda has a built-in instruction length decoder. It then redirects the internal function resolver cache to point to</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>163</th>\n",
       "      <td>the internal function resolver cache to point to that area (a so-called trampoline). Probably Panda does this to prevent an infinite recursion when the hook calls the hooked function. Interestingly, Panda searches it’s own IAT for hooked functions. However, as Panda has replaced importing through the IAT with the import resolver function (for most functions including all hooked functions) this has no purpose. 5.5 Hooks and Browser Manipulation</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>164</th>\n",
       "      <td>has no purpose. 5.5 Hooks and Browser Manipulation After Panda successfully injected into its target processses (see section 5.3), it starts hooking all</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>165</th>\n",
       "      <td>processses (see section 5.3), it starts hooking all necessary functions to provide banking trojan capabillities. The detailed technique is described in section 5.4 so this section focuses on the individual browser and how Panda implements its malicious activities. 5.5 Hooks and Browser Manipulation 23 Figure 5.1: Flowgraph of the process infection thread. 5.5.1 Internet Explorer Since Internet Explorer is a browser made by Microsoft, it vastly depends on</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>166</th>\n",
       "      <td>browser made by Microsoft, it vastly depends on functions from the Windows API and has no dependencies on third-party DLLs that need to</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>167</th>\n",
       "      <td>no dependencies on third-party DLLs that need to be considered when hooking Internet Explorer. The actual hooks are done by overwriting some bytes in the function prologue (see section 5.4). The list of functions hooked by Panda is</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>168</th>\n",
       "      <td>The list of functions hooked by Panda is as follows: ∙ wininet!HttpSendRequestW ∙ wininet!HttpSendRequestA ∙ wininet!HttpSendRequestExW ∙ wininet!HttpSendRequestExA ∙ wininet!InternetReadFile ∙ wininet!InternetReadFileExW ∙</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>169</th>\n",
       "      <td>wininet!HttpSendRequestExW ∙ wininet!HttpSendRequestExA ∙ wininet!InternetReadFile ∙ wininet!InternetReadFileExW ∙ wininet!InternetReadFileExA 5.5 Hooks and Browser Manipulation 24 ∙ wininet!InternetQueryDataAvailabe ∙ wininet!InternetCloseHandle ∙ wininet!HttpOpenRequestW ∙ wininet!HttpOpenRequestA ∙ wininet!HttpQueryInfoA ∙ wininet!InternetConnectW ∙ wininet!InternetConnectA ∙ wininet!InternetWriteFile Additionally,Pandadisablesthephishingfiltertoavoidtriggeringitwiththewebinjects, through</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>170</th>\n",
       "      <td>∙ wininet!InternetConnectW ∙ wininet!InternetConnectA ∙ wininet!InternetWriteFile Additionally,Pandadisablesthephishingfiltertoavoidtriggeringitwiththewebinjects, through modifying the following registry keys: ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet</td>\n",
       "      <td>{Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>171</th>\n",
       "      <td>following registry keys: ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV8 ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV9 And</td>\n",
       "      <td>{Modify Registry - T1112}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>172</th>\n",
       "      <td>Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV8 ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV9 And it sets several internet zone policies to allow in order to get access to cookies and enable cross site script includes: ∙ URLACTION_CROSS_DOMAIN_DATA ∙ URLACTION_HTML_MIXED_CONTENT ∙ URLACTION_COOKIES ∙ URLACTION_COOKIES_ENABLED ∙ URLACTION_COOKIES_SESSION ∙ URLACTION_COOKIES_THIRD_PARTY ∙ URLACTION_COOKIES_SESSION_THIRD_PARTY And finally it disables the “bad certificate” warning by modifying</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>173</th>\n",
       "      <td>it disables the “bad certificate” warning by modifying the registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WarnonBadCertRecving</td>\n",
       "      <td>{Disable or Modify Tools - T1562.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>174</th>\n",
       "      <td>warning by modifying the registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WarnonBadCertRecving 5.5 Hooks and Browser Manipulation 25 5.5.2 Mozilla Firefox As described in section 5.5.3, Firefox uses a dynamically linked NSPR4.dll. This lowers the bounds for the malware to hook all necessary functions. Panda hooks the functions PR_Close, PR_Read, PR_Write, and PR_Poll by overwriting some bytes in the function prologue like it does for all Windows API hooks (see section 5.4). Similarly to Internet Explorer, Panda modifies the user preferences the better fit the needs of the malware. In the case of Firefox, it walks through the profiles directory of Firefox’s settings directory (%APPDATA%\\Mozilla\\Firefox) and sets the following user preferences to false: ∙ privacy.clearOnShutdown.cookies ∙ security.warn_viewing_mixed ∙ security.warn_viewing_mixed.show_once ∙ security.warn_submit_insecure ∙ security.warn_submit_insecure.show_once ∙ security.warn_entering_secure ∙ security.warn_entering_weak ∙ security.warn_leaving_secure ∙ network.http.spdy.enabled ∙ network.http.spdy.enabled.v2 ∙ network.http.spdy.enabled.v3 5.5.3 Google Chrome Hooking Google’s Chrome browser is different compared to Firefox or Internet Explorer, because Chrome uses functions from both the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>175</th>\n",
       "      <td>Explorer, because Chrome uses functions from both the Windows API and Mozilla’s NSPR4 li- brary. The Windows API functions are as described in section 5.4. The difference between</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>176</th>\n",
       "      <td>as described in section 5.4. The difference between hooking Firefox and Chrome is that Chrome has a statically linked nspr4.dll instead of a dynamically linked one like Firefox has. Unfortunately, this has the conse- quencethatoneisnotabletouseGetProcAddresstogettheaddressofthefunctionand tooverwritesomebytesatthataddress. However,Chromeinternallyusesaglobalstruct of function pointers pointing to the actual functions. A pointer to this struct is shipped with each connection that is made by the browser. Panda tries to find the global struct and overwrites the function pointers in that specific struct to hook Chrome’s NSPR4 functions. The list of hooked functions (including Window API function) is as follows: ∙ PR_Write (NSPR4 overwrite) 5.6 Plug-in ability 26 ∙ PR_Read (NSPR4 overwrite) ∙ PR_Close (NSPR4 overwrite) ∙ closesocket (WinAPI-Hook) ∙ WSARecv (WinAPI-Hook) ∙ WSASend (WinAPI-Hook) ∙ recv (WinAPI-Hook) 5.5.4 User Functions In addition to the MITB hooks, Panda can</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>177</th>\n",
       "      <td>In addition to the MITB hooks, Panda can also take screenshots, logs keyboard input, and watches for clipboard pastes. To be able to</td>\n",
       "      <td>{Screen Capture - T1113}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>178</th>\n",
       "      <td>watches for clipboard pastes. To be able to log keyboard input, Panda hooks TranslateMessage for each process it</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>179</th>\n",
       "      <td>input, Panda hooks TranslateMessage for each process it is injected into. It then checks each windows message for</td>\n",
       "      <td>{Process Injection - T1055}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>180</th>\n",
       "      <td>into. It then checks each windows message for WM_KEYDOWN and logs the (unicode) character representation of the pressed</td>\n",
       "      <td>{Windows Management Instrumentation - T1047}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>181</th>\n",
       "      <td>logs the (unicode) character representation of the pressed key. Additionally, Panda listens for WM_MOUSEBUTTONDOWN events and triggers a</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>182</th>\n",
       "      <td>Panda listens for WM_MOUSEBUTTONDOWN events and triggers a screenshot for each of the</td>\n",
       "      <td>{Screen Capture - T1113}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>183</th>\n",
       "      <td>and triggers a screenshot for each of the next 100 mouse clicks if</td>\n",
       "      <td>{Malicious File - T1204.002}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>184</th>\n",
       "      <td>each of the next 100 mouse clicks if a corresponding webfilter was triggered previously (see section 5.7 for a descrip- tion of the webfilters). Additionally, Panda hooks GetClipboardData. Hooking this specific function allows the malware authors to capture passwords that are not typed by the user but instead are pasted into the form fields in the browser (e.g. because the passwords are saved in a file on disk or because the user uses a password manager). 5.6 Plug-in ability The Panda malware has the ability to dynamically load malware modules from web resources and to execute them in-place. This makes Panda a very flexible malware that can be retrofitted for other purposes. Technically, they re-implemented LoadLibrary without the need of having the actual library on disk. First, the malware allocates enough space for the loaded DLL in the virtual memory of its process using VirtualAlloc. Afterwards, Panda section-wise copiestheDLLintothepreviouslyallocatedblockofmemory. BecauseDLLsareposition independent, the third step is to relocate the sections. To achieve that, Panda walks through the relocation table (.reloc section) and resolves the required relocations by applying the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>185</th>\n",
       "      <td>and resolves the required relocations by applying the base of the corresponding section</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>186</th>\n",
       "      <td>by applying the base of the corresponding section to it. Panda also needs to resolve the imports of the module. The list of imports can be shortly described as a \"what-where\" list. For each of the entries in the list, Panda uses LoadLibrary</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>187</th>\n",
       "      <td>the entries in the list, Panda uses LoadLibrary and GetProcAddress to resolve the</td>\n",
       "      <td>{File and Directory Discovery - T1083, Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>188</th>\n",
       "      <td>Panda uses LoadLibrary and GetProcAddress to resolve the address of the imported function</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>189</th>\n",
       "      <td>to resolve the address of the imported function and writes it to the corresponding entry in the list. Finally, it calls the DllMain</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>190</th>\n",
       "      <td>in the list. Finally, it calls the DllMain function of the loaded library to hand over control to</td>\n",
       "      <td>{Native API - T1106}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>191</th>\n",
       "      <td>the loaded library to hand over control to the initialization function of the DLL. Panda uses this technique to dynamically load its HttpGrabber,</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>192</th>\n",
       "      <td>uses this technique to dynamically load its HttpGrabber, Socks proxy, and VNC server</td>\n",
       "      <td>{Web Protocols - T1071.001}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>193</th>\n",
       "      <td>load its HttpGrabber, Socks proxy, and VNC server modules into the current process</td>\n",
       "      <td>{Web Protocols - T1071.001, Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>194</th>\n",
       "      <td>and VNC server modules into the current process space. 5.7 Webfilters 27 5.7 Webfilters Pandaimplementsafeaturethatiscalled“webfilters” bythemalwareauthors. Although, “filters” isnotthecorrecttermfrommypointofview. Consider!http://*microsoft.com* as an example for such a webfilter. The first character obviously does not belong to the actual URL although it should be clear that the exclamation mark stands for something like “not”. The position of the exclamation mark can be called “action” and is followed by the actual URL which can contain asterisks as placeholders for “any characters”. The full list of actions is as follows: P report request content if request type is POST ˆ block access to website and report the request content | (pipe symbol) during my analysis I was not yet able to determine what this is used for @ takes a screenshot (500x500</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>195</th>\n",
       "      <td>is used for @ takes a screenshot (500x500 pixels) on each of the</td>\n",
       "      <td>{Screen Capture - T1113}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>196</th>\n",
       "      <td>a screenshot (500x500 pixels) on each of the next 100 mouse clicks (at</td>\n",
       "      <td>{Malicious File - T1204.002}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>197</th>\n",
       "      <td>each of the next 100 mouse clicks (at max) ! don’t write a report or analyze the data</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>198</th>\n",
       "      <td>don’t write a report or analyze the data # takes a screenshot (fullscreen) on each of the next</td>\n",
       "      <td>{Screen Capture - T1113}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>199</th>\n",
       "      <td>a screenshot (fullscreen) on each of the next 100 mouse clicks (at max)</td>\n",
       "      <td>{Malicious File - T1204.002}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>200</th>\n",
       "      <td>of the next 100 mouse clicks (at max) % trigger the start of the VNC module (if not already started) &amp; trigger the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>201</th>\n",
       "      <td>module (if not already started) &amp; trigger the start of the socks proxy module (if not already started) 5.8 Remote Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly.</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>202</th>\n",
       "      <td>not already started) 5.8 Remote Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly. Unfortunately, the script commands are</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>203</th>\n",
       "      <td>Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly. Unfortunately, the script commands are hashed using CRC32 before comparing</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>204</th>\n",
       "      <td>script commands are hashed using CRC32 before comparing to the list of handlers so that we were not able to tell the names of the commands. But nevertheless we were able to determine the purpose of the commands by looking at their respective handlers. The possible actions the remote script can trigger, are: set shutdown flag shutdown PC after the script finished set maintenance shutdown flag shutdown PC in “minor maintenance” mode 5.8 Remote Script 28 uninstall removes</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>205</th>\n",
       "      <td>maintenance” mode 5.8 Remote Script 28 uninstall removes the bot from the PC</td>\n",
       "      <td>{Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>206</th>\n",
       "      <td>28 uninstall removes the bot from the PC update bot (force) updates the binary executable of the bot update config (force) updates the bot’s dynamic configuration block or unblock webinjects allows for disabling or enabling certain webinjects list files matching a given path pattern searches the local file</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>207</th>\n",
       "      <td>a given path pattern searches the local file system for all files matching</td>\n",
       "      <td>{File and Directory Discovery - T1083}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>208</th>\n",
       "      <td>the local file system for all files matching the pattern and adds the list to the report read files matching a given path pattern searchesthelocalfilesystemforallfilesmatchingthepatternandaddsthecontent of the files to the report remove a</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>209</th>\n",
       "      <td>of the files to the report remove a local file deletes a file from the local file system</td>\n",
       "      <td>{File Deletion - T1070.004}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>210</th>\n",
       "      <td>deletes a file from the local file system execute remote file downloads and executes an arbitrary file block</td>\n",
       "      <td>{Windows Command Shell - T1059.003, Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>211</th>\n",
       "      <td>file downloads and executes an arbitrary file block or unblock a given URL</td>\n",
       "      <td>{Ingress Tool Transfer - T1105}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>212</th>\n",
       "      <td>arbitrary file block or unblock a given URL allows for blocking or unblocking a given URL so that the user can (or cannot) open the page in the browser enable HttpGrabber features grab passwords, forms, certificates, cookies (1+2), delete cookies (1+2), softlist, delete cache start VNC module (force)</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>213</th>\n",
       "      <td>(1+2), softlist, delete cache start VNC module (force) starts the VNC module start</td>\n",
       "      <td>{File Deletion - T1070.004}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>214</th>\n",
       "      <td>VNC module (force) starts the VNC module start VNC module and set a flag in the local settings (force) start the VNC module and sets the appropriate flag in the local settings start socks module (force) starts the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>215</th>\n",
       "      <td>local settings start socks module (force) starts the Socks proxy module start socks module and set a flag</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>216</th>\n",
       "      <td>module start socks module and set a flag in the local settings (force)</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>217</th>\n",
       "      <td>set a flag in the local settings (force) starts the Socks proxy module and sets the approriate flag in the local settings 5.9</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>218</th>\n",
       "      <td>the approriate flag in the local settings 5.9 System Report 29 5.9 System Report Each time Panda communicates with the command-and-control server, it sends status information about the</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>219</th>\n",
       "      <td>command-and-control server, it sends status information about the bot back to the command-and-control</td>\n",
       "      <td>{Exfiltration Over C2 Channel - T1041}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>220</th>\n",
       "      <td>information about the bot back to the command-and-control server. The exact informa- tion depend on the type of the message sent to the server. But there are five groups of information that can be sent: SYSINFO_TIME ∙ current</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>221</th>\n",
       "      <td>information that can be sent: SYSINFO_TIME ∙ current system time (UTC) SYSINFO_USER ∙</td>\n",
       "      <td>{Exfiltration Over C2 Channel - T1041}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>222</th>\n",
       "      <td>SYSINFO_TIME ∙ current system time (UTC) SYSINFO_USER ∙ the name of the process executable where the control process resides in ∙ the current system user SYSINFO_BOTVERSION ∙ bot ID ∙ the botnet the client is part of ∙ the version of the bot SYSINFO_OS ∙ system version (e.g. 6.1 for Windows 7) ∙ service pack number ∙ build id ∙ architecture (32/64 bit) ∙ server edition? ∙ default ui language SYSINFO_MISC ∙ network latency ∙ localized time ∙ computer name ∙ installed antivirus, antispyware, and firewall products 6 Conclusion Panda must be considered to be among the more advanced types of malware. The code basis is large and sports a number of features not found in less sophisticated malware. These features include extensive anti-analysis code and an advanced hooking framework in which Panda brings, among other things, its</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>223</th>\n",
       "      <td>in which Panda brings, among other things, its own instruction length decoder. The code seems to be mature and the quality of the</td>\n",
       "      <td>{Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>224</th>\n",
       "      <td>to be mature and the quality of the code appears to be above the average for malware. The main purpose of Panda is to serve as a bankning trojan. Therefore its author equipped the malware with sophisticated capabilities and supports all major browsers in the Windows ecosystem. However, Panda shows significant flexibility allowing it to be used for other malicous purposes. For example, Panda implements a modifiable configuration that can be changed at any time by the attacker. Additionally, Panda is able to spy on user activity, provides a remotely accessible scripting language, and has the abillity to load a VNC server and</td>\n",
       "      <td>{}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>225</th>\n",
       "      <td>the abillity to load a VNC server and a SOCKS proxy module to provide additional remote access features to the attacker. Thus, the</td>\n",
       "      <td>{Proxy - T1090}</td>\n",
       "      <td>panda-whitepaper.pdf</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "</div>\n",
       "      <button class=\"colab-df-convert\" onclick=\"convertToInteractive('df-14e07b41-0ee8-4c5e-867a-8730a05e4353')\"\n",
       "              title=\"Convert this dataframe to an interactive table.\"\n",
       "              style=\"display:none;\">\n",
       "\n",
       "  <svg xmlns=\"http://www.w3.org/2000/svg\" height=\"24px\"viewBox=\"0 0 24 24\"\n",
       "       width=\"24px\">\n",
       "    <path d=\"M0 0h24v24H0V0z\" fill=\"none\"/>\n",
       "    <path d=\"M18.56 5.44l.94 2.06.94-2.06 2.06-.94-2.06-.94-.94-2.06-.94 2.06-2.06.94zm-11 1L8.5 8.5l.94-2.06 2.06-.94-2.06-.94L8.5 2.5l-.94 2.06-2.06.94zm10 10l.94 2.06.94-2.06 2.06-.94-2.06-.94-.94-2.06-.94 2.06-2.06.94z\"/><path d=\"M17.41 7.96l-1.37-1.37c-.4-.4-.92-.59-1.43-.59-.52 0-1.04.2-1.43.59L10.3 9.45l-7.72 7.72c-.78.78-.78 2.05 0 2.83L4 21.41c.39.39.9.59 1.41.59.51 0 1.02-.2 1.41-.59l7.78-7.78 2.81-2.81c.8-.78.8-2.07 0-2.86zM5.41 20L4 18.59l7.72-7.72 1.47 1.35L5.41 20z\"/>\n",
       "  </svg>\n",
       "      </button>\n",
       "\n",
       "\n",
       "\n",
       "    <div id=\"df-9227d585-f4e4-4ae3-8b03-3a69a0c9cb43\">\n",
       "      <button class=\"colab-df-quickchart\" onclick=\"quickchart('df-9227d585-f4e4-4ae3-8b03-3a69a0c9cb43')\"\n",
       "              title=\"Suggest charts.\"\n",
       "              style=\"display:none;\">\n",
       "\n",
       "<svg xmlns=\"http://www.w3.org/2000/svg\" height=\"24px\"viewBox=\"0 0 24 24\"\n",
       "     width=\"24px\">\n",
       "    <g>\n",
       "        <path d=\"M19 3H5c-1.1 0-2 .9-2 2v14c0 1.1.9 2 2 2h14c1.1 0 2-.9 2-2V5c0-1.1-.9-2-2-2zM9 17H7v-7h2v7zm4 0h-2V7h2v10zm4 0h-2v-4h2v4z\"/>\n",
       "    </g>\n",
       "</svg>\n",
       "      </button>\n",
       "    </div>\n",
       "\n",
       "<style>\n",
       "  .colab-df-quickchart {\n",
       "    background-color: #E8F0FE;\n",
       "    border: none;\n",
       "    border-radius: 50%;\n",
       "    cursor: pointer;\n",
       "    display: none;\n",
       "    fill: #1967D2;\n",
       "    height: 32px;\n",
       "    padding: 0 0 0 0;\n",
       "    width: 32px;\n",
       "  }\n",
       "\n",
       "  .colab-df-quickchart:hover {\n",
       "    background-color: #E2EBFA;\n",
       "    box-shadow: 0px 1px 2px rgba(60, 64, 67, 0.3), 0px 1px 3px 1px rgba(60, 64, 67, 0.15);\n",
       "    fill: #174EA6;\n",
       "  }\n",
       "\n",
       "  [theme=dark] .colab-df-quickchart {\n",
       "    background-color: #3B4455;\n",
       "    fill: #D2E3FC;\n",
       "  }\n",
       "\n",
       "  [theme=dark] .colab-df-quickchart:hover {\n",
       "    background-color: #434B5C;\n",
       "    box-shadow: 0px 1px 3px 1px rgba(0, 0, 0, 0.15);\n",
       "    filter: drop-shadow(0px 1px 2px rgba(0, 0, 0, 0.3));\n",
       "    fill: #FFFFFF;\n",
       "  }\n",
       "</style>\n",
       "\n",
       "    <script>\n",
       "      async function quickchart(key) {\n",
       "        const containerElement = document.querySelector('#' + key);\n",
       "        const charts = await google.colab.kernel.invokeFunction(\n",
       "            'suggestCharts', [key], {});\n",
       "      }\n",
       "    </script>\n",
       "\n",
       "      <script>\n",
       "\n",
       "function displayQuickchartButton(domScope) {\n",
       "  let quickchartButtonEl =\n",
       "    domScope.querySelector('#df-9227d585-f4e4-4ae3-8b03-3a69a0c9cb43 button.colab-df-quickchart');\n",
       "  quickchartButtonEl.style.display =\n",
       "    google.colab.kernel.accessAllowed ? 'block' : 'none';\n",
       "}\n",
       "\n",
       "        displayQuickchartButton(document);\n",
       "      </script>\n",
       "      <style>\n",
       "    .colab-df-container {\n",
       "      display:flex;\n",
       "      flex-wrap:wrap;\n",
       "      gap: 12px;\n",
       "    }\n",
       "\n",
       "    .colab-df-convert {\n",
       "      background-color: #E8F0FE;\n",
       "      border: none;\n",
       "      border-radius: 50%;\n",
       "      cursor: pointer;\n",
       "      display: none;\n",
       "      fill: #1967D2;\n",
       "      height: 32px;\n",
       "      padding: 0 0 0 0;\n",
       "      width: 32px;\n",
       "    }\n",
       "\n",
       "    .colab-df-convert:hover {\n",
       "      background-color: #E2EBFA;\n",
       "      box-shadow: 0px 1px 2px rgba(60, 64, 67, 0.3), 0px 1px 3px 1px rgba(60, 64, 67, 0.15);\n",
       "      fill: #174EA6;\n",
       "    }\n",
       "\n",
       "    [theme=dark] .colab-df-convert {\n",
       "      background-color: #3B4455;\n",
       "      fill: #D2E3FC;\n",
       "    }\n",
       "\n",
       "    [theme=dark] .colab-df-convert:hover {\n",
       "      background-color: #434B5C;\n",
       "      box-shadow: 0px 1px 3px 1px rgba(0, 0, 0, 0.15);\n",
       "      filter: drop-shadow(0px 1px 2px rgba(0, 0, 0, 0.3));\n",
       "      fill: #FFFFFF;\n",
       "    }\n",
       "  </style>\n",
       "\n",
       "      <script>\n",
       "        const buttonEl =\n",
       "          document.querySelector('#df-14e07b41-0ee8-4c5e-867a-8730a05e4353 button.colab-df-convert');\n",
       "        buttonEl.style.display =\n",
       "          google.colab.kernel.accessAllowed ? 'block' : 'none';\n",
       "\n",
       "        async function convertToInteractive(key) {\n",
       "          const element = document.querySelector('#df-14e07b41-0ee8-4c5e-867a-8730a05e4353');\n",
       "          const dataTable =\n",
       "            await google.colab.kernel.invokeFunction('convertToInteractive',\n",
       "                                                     [key], {});\n",
       "          if (!dataTable) return;\n",
       "\n",
       "          const docLinkHtml = 'Like what you see? Visit the ' +\n",
       "            '<a target=\"_blank\" href=https://colab.research.google.com/notebooks/data_table.ipynb>data table notebook</a>'\n",
       "            + ' to learn more about interactive tables.';\n",
       "          element.innerHTML = '';\n",
       "          dataTable['output_type'] = 'display_data';\n",
       "          await google.colab.output.renderOutput(dataTable, element);\n",
       "          const docLink = document.createElement('div');\n",
       "          docLink.innerHTML = docLinkHtml;\n",
       "          element.appendChild(docLink);\n",
       "        }\n",
       "      </script>\n",
       "    </div>\n",
       "  </div>\n"
      ],
      "text/plain": [
       "                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      segment  \\\n",
       "0                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 ADVANCED ANALYTICS Analysis Results of Zeus.Variant.Panda Luca Ebach Analysis Report. June 22, 2017 G DATA Advanced Analytics GmbH G DATA Campus · Königsallee 178 D-44799 Bochum, Germany Contents 1 Introduction 2 2 Overview 3 2.1 General Information . . . . . . . . . . . . . . . . . . . . 3 2.2 Execution Flow . . . . . . . . . . . . . 4 3 Anti-Detection and Anti-Reverse-Engineering Techniques 6 3.1 Malware Startup Checks . . . . . . . . 6 3.1.1 Debug support . . . . . . . . . . . . . . 6 3.1.2 Language checks . . . . . . . . 6 3.1.3 Anti analysis check . . . . . . . . . . . . 6 3.2 Windows API Imports . . . . . . . . . 10 3.3 Crypted Strings . . . . . . . . . . . . . 10 3.4 Cryptography . . . . . . . . . 11 3.4.1 Random Numbers . . . . . . . . . . . . 11 3.4.2 Cryptography . . . . . . . . . . . . . . . 11 3.4.3 Hashing . . . . . . . . 12 4 Configuration 13 4.1 Bot ID . . . . . . . . 13 4.2 Configuration . . . . . . . . . . . . . . 13 4.2.1 Base Config . . . . . . . . . . . 13 4.2.2 Local Config (PeSettings) . . . . . . . . 14 4.2.3 Dynamic Config . . . . . . . . . . . . . 15 4.2.4 Local Settings. . . . . . . . . . 17 4.3 Bot Update . . . . . . . . . . . . . . . 18 4.4 Configuration Update . . . . . . . . . . . . . . 18 5 Payload and Persistence 20 5.1 Persistence . . . . . . . . . . 20 5.2 HTTP Grabber and Injector. . . . . . . . . .   \n",
       "1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  . . . . . . . . . 20 5.3 Process Injection   \n",
       "2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  . . . . 20 5.3 Process Injection . . . . .   \n",
       "3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   5.3 Process Injection . . . . . . . . . .   \n",
       "4    . . . . . . . . . . 22 5.4 API Hooking Technique . . . . . . . . 22 5.5 Hooks and Browser Manipulation . . . . . . . . . . . . . 22 5.5.1 Internet Explorer . . . . . . . . . . . . . 23 5.5.2 Mozilla Firefox . . . . . . . . . . . . . . 25 5.5.3 Google Chrome . . . . . . . . . . . . . . 25 5.5.4 User Functions . . . . . . . . . 26 Contents 1 5.6 Plug-in ability. . . . . . . . . . . . . . 26 5.7 Webfilters . . . . . . . . . . . 27 5.8 Remote Script. . . . . . . . . 27 5.9 System Report . . . . . . . . . . . . . 29 6 Conclusion 30 1 Introduction Aside from ransomware attacks, banking trojans are also a very dangerous type of mal- ware. They do not have destructive behaviour in the first place, so their presence on a victim’s system might not be detected for quite an amount of time if the victim has no proper antivirus product installed. Since Panda is possibly among the most dangerous familiesofbankingtrojans, wedecidedtodoacomprehensiveanalysisofarecentsample of Panda. In this paper we focus on the analysis of the binary part of a Zeus.Panda malware sample. Foradetailedanalysisoftheactualwebinjectbehaviourandthecommunication flow between infected machines and the automatic transfer system’s server, please refer 1 2 to our blogposts by Manuel Körber-Bilgard and Karsten Tellmann. 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 2 Overview 2.1 General Information The original Zeus banking trojan’s source code was leaked in 2011 and since then several independent threat actors have used the source code as a basis for new variants of the malware. One of the most prolific and advanced of these variants is the Zeus.Panda banking trojan which we will analyse in this white paper. Zeus.Panda targets Windows operating systems from WinXP through Windows 10 and is typically spread through phishing mail campaigns, but proliferation through drive-by exploits has been seen. The sample analyzed in this whitepaper is: MD5 Packed: e005c4009c22e0f73fcdaeba99bd0075 Unpacked: 655f65b1b08621dfcb2603b59fca05bc SHA1 Packed: 6f5c186baa0d69799c250769052236b8bcfb13a1 Unpacked: 88782d3b74067d405e56f0a5e9b92e3fdb77dcd8 SHA256 Packed: d037723b90acb9d5a283d54b833e171e913f6fa7f44dd6d996d0cecae9595d0b Unpacked: bd956b2e81731874995b9b92e20f75dbf67ac5f12f9daa194525e1b673c7f83c Size   \n",
       "5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Unpacked: 88782d3b74067d405e56f0a5e9b92e3fdb77dcd8 SHA256 Packed: d037723b90acb9d5a283d54b833e171e913f6fa7f44dd6d996d0cecae9595d0b Unpacked: bd956b2e81731874995b9b92e20f75dbf67ac5f12f9daa194525e1b673c7f83c Size Packed: 252 KB Unpacked: 140 KB Number of Functions 538 IOCs (Filesystem) Panda tries to   \n",
       "6                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      of Functions 538 IOCs (Filesystem) Panda tries to find a directory underneath %APPDATA%\\Roaming that ∙ is empty, ∙ has a path that is at least 140 characters long, ∙ does not contain either of microsoft or firefox, and ∙ is as deep in the directory tree as possible In our analysis environment, Panda ended up in %APPDATA%\\Roaming\\Sun\\Java. Inthedirectory,Pandacreatesfourfileswithrandomfileextensions. Wediscovered 2.2 Execution Flow 4 Desktop (create shortcut).exe(malwareexecutable),Control Panel.cyd(dy- namicconfigfile,section4.2.3),Desktop.ysq(reportfile,section5.9),andNotepad.kix (localconfig file, section 4.2.2). IOCs (Registry) Aside from writing some   \n",
       "7                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           section 4.2.2). IOCs (Registry) Aside from writing some files to disk, Panda also   \n",
       "8                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       from writing some files to disk, Panda also uses some registry keys to store data. AlltheregistrykeysusedbyPandaarelocatedintheHKCU\\Software\\Microsoft key. The names of the keys are   \n",
       "9                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       AlltheregistrykeysusedbyPandaarelocatedintheHKCU\\Software\\Microsoft key. The names of the keys are random and in our system we observed Ivoc (reg- DynamicConfig), Kounhu (regLocalConfig), and Useglugy (regLocalSettings). See section 4.2.2 for a more detailed description of the   \n",
       "10                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4.2.2 for a more detailed description of the configuration. Additionally, PandacreatesanewentrywithintheHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key which is used to start the malware as soon as   \n",
       "11                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     used to start the malware as soon as the infected user logs into its account. IOCs (other) Internally, Panda uses several mutexes and events to synchronize between the controlling process and the client instances in the browsers. The names of these objects are fixed on the local system but are different for any other system. Al- though, the   \n",
       "12                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 different for any other system. Al- though, the names are 32-character hexadecimal strings   \n",
       "13                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Al- though, the names are 32-character hexadecimal strings in either case. Example: 4A0000002571569EA477E09F768C1A07 2.2 Execution Flow Figure 2.1 gives an overview of the control flow of Zeus.Panda. Each step will be de- scribed in detail in the coming chapters. 2.2 Execution Flow 5 Figure 2.1: Control flow of the malware executable. 3 Anti-Detection and Anti-Reverse-Engineering Techniques 3.1 Malware Startup Checks Before installing the malware executable in the victim’s system, Panda performs several checks to verify that it runs in a sane environment. 3.1.1 Debug support The first check verifies the integrity of a .dbg file. If the file is present on the file system, ithasthesamenameastheexecutable. The.dbgfilecontainsencryptedJSONdata3.4 of the form { \"data\": \"[data]\", \"sign\": \"[signature]\" } Afterreadingthecontentofthefile,PandahashesthedatapartoftheJSONobjectus- ing SHA1   \n",
       "14                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   \"data\": \"[data]\", \"sign\": \"[signature]\" } Afterreadingthecontentofthefile,PandahashesthedatapartoftheJSONobjectus- ing SHA1 through the Windows Crypt API. Afterwards, it uses CryptVerifySignature to check the calculated hash against   \n",
       "15                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   uses CryptVerifySignature to check the calculated hash against the content of the sign field using a static public key from the executable. If the signature is not valid, Panda removes itself from the   \n",
       "16                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 is not valid, Panda removes itself from the system. If the signature check   \n",
       "17                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         itself from the system. If the signature check is passed, Panda will bypass the subsequent anti-analysis code. 3.1.2 Language checks Once the debug support check is passed, Panda   \n",
       "18                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           Once the debug support check is passed, Panda checks the current keyboard layout   \n",
       "19                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     is passed, Panda checks the current keyboard layout against a predefined list of layouts. In the sample I analyzed, the list contained 0x419, 0x422, 0x423, 0x43f which stand for russian, ukrainian, belarusian, and kazakh, respec- tively. If either of those matches the current keyboard layout, Panda removes itself from the victim’s PC. 3.1.3 Anti analysis check The last step of the pre-run checks is a rather long list of checks for debug and analysis tools. Some of these tools are antiquated such as SoftIce where support stopped long before Windows XP which is the least recent operating system supported by Panda. Other of the tools such as IDA Pro and Immunity Debugger remain popular tools with 3.1 Malware Startup Checks 7 malware analysts. If any of these tools are present Panda aborts execution and removes itself. To identify analysis tools Panda uses four different types of tests: file use CreateFile with OPEN_EXISTING flag to check if a file/device exists mutex use OpenMutex to try to open an existing mutex running process useCreateToolhelp32Snapshottogetthelistofcurrentlyrunningprocesssesand check if any of them contains   \n",
       "20                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            process useCreateToolhelp32Snapshottogetthelistofcurrentlyrunningprocesssesand check if any of them contains a given string registry key useRegOpenKeytocheckifaregistrykeyexistsor checkaregistrykeyifitcontains a given value Thefulllistcontainschecksfor23toolsandisshowninthetableattheendofthesection. If either of those   \n",
       "21                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  a given value Thefulllistcontainschecksfor23toolsandisshowninthetableattheendofthesection. If either of those tests fails, Panda stops to   \n",
       "22                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  either of those tests fails, Panda stops to installing and removes itself from the system. Although, these checks can be skipped using -f   \n",
       "23                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Although, these checks can be skipped using -f as a command line parameter at the start of the malware. aut2exe process aut2exe running   \n",
       "24                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             start of the malware. aut2exe process aut2exe running Bochs registry key HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion contains BOCHS Execute file C:\\\\execute.exe exists   \n",
       "25                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      key HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion contains BOCHS Execute file C:\\\\execute.exe exists Frz mutex with name Frz_State exists IDA Pro process idaq running ImmunityDBG process immunity running Perl process perl running PopupKiller file C:\\popupkiller.exe exists prl One of: 3.1 Malware Startup Checks 8 ∙ file \\\\.\\prl_pv exists ∙ file \\\\.\\prl_tg exists ∙ file \\\\.\\prl_time exists ProcessExplorer process procexp running ProcessMonitor process procmon running ProcessHacker process processhacker running Python process python running Regshot process regshot running Sandboxie One of: ∙ SbieDll.dll can be loaded by LoadLibraryA ∙ mutex Sandboxie_SingleInstanceMutex_Control exists SoftICE One of: ∙ file \\\\.\\SICE exists ∙ file \\\\.\\SIWVID exists ∙ file \\\\.\\SIWDEBUG exists ∙ file \\\\.\\NTICE exists ∙ file \\\\.\\REGVXG exists ∙ file \\\\.\\FILEVXG exists ∙ file \\\\.\\REGSYS exists ∙ file \\\\.\\FILEM exists ∙ file \\\\.\\TRW exists ∙ file \\\\.\\ICEXT exists Stimulator file C:\\stimulator.exe exists VirtualBox One of: 3.1 Malware Startup Checks 9 ∙ file \\\\.\\VBoxGuest exists ∙ file \\\\.\\VBoxMouse exists ∙ file \\\\.\\VBoxVideo exists ∙ file \\\\.\\VBoxMiniRdrDN exists ∙ file \\\\.\\VBoxMiniRdDN exists ∙ file \\\\.\\VBoxTrayIPC exists ∙ registry key HKLM\\SOFTWARE\\Oracle\\VirtualBox   \n",
       "26                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     ∙ file \\\\.\\VBoxTrayIPC exists ∙ registry key HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions exists ∙ registry key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ exists VirtualPC One   \n",
       "27                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    exists ∙ registry key HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX__ exists VirtualPC One of: ∙ mutex MicrosoftVirtualPC7UserServiceMakeSureWe’reTheOnlyOneMutex exists   \n",
       "28                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         exists VirtualPC One of: ∙ mutex MicrosoftVirtualPC7UserServiceMakeSureWe’reTheOnlyOneMutex exists ∙ file \\\\.\\VirtualMachineServices exists VMware   \n",
       "29                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              mutex MicrosoftVirtualPC7UserServiceMakeSureWe’reTheOnlyOneMutex exists ∙ file \\\\.\\VirtualMachineServices exists VMware One of: ∙ file \\\\.\\HGFS exists ∙ file \\\\.\\vmci exists   \n",
       "30                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    ∙ file \\\\.\\HGFS exists ∙ file \\\\.\\vmci exists ∙ registry key HKLM\\SOFTWARE\\VMware Inc.\\VMware Tools exists Wine One of:   \n",
       "31                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         key HKLM\\SOFTWARE\\VMware Inc.\\VMware Tools exists Wine One of: ∙ kernel32.dll contains ”wine_get_unix_file_name\" function ∙ registry key HKLM\\Software\\WINE exists   \n",
       "32                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              contains ”wine_get_unix_file_name\" function ∙ registry key HKLM\\Software\\WINE exists ∙ registry key HKCU\\Software\\WINE exists   \n",
       "33                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     key HKLM\\Software\\WINE exists ∙ registry key HKCU\\Software\\WINE exists Wireshark One of: ∙ file \\\\.\\NPF_NdisWanIp exists ∙ process wireshark running Hypervisor One of: ∙ check if hypervisor bit of CPU is set ∙ file   \n",
       "34                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         hypervisor bit of CPU is set ∙ file \\\\.\\VmGenerationCounter exists 3.2 Windows API Imports 10 Function Resolve(Module, FunctionID)   \n",
       "35                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3.2 Windows API Imports 10 Function Resolve(Module, FunctionID) { For exportName in Module.Exports { If (CRC32(exportName) == FunctionID) { Return AddressOfFunction(exportName) } } } Function Import(ModuleID, FunctionID) { If (FunctionID not in cache) { Module := DecryptName(ModuleID) If (Module is not loaded) {   \n",
       "36                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            := DecryptName(ModuleID) If (Module is not loaded) { LoadLibrary(Module) } cache[functionID] := Resolve(Module,   \n",
       "37                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   not loaded) { LoadLibrary(Module) } cache[functionID] := Resolve(Module, FunctionID) } Return cache[functionID] } Listing 3.1: Pseudocode describing the   \n",
       "38                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Return cache[functionID] } Listing 3.1: Pseudocode describing the implementation of the Windows API import function. 3.2 Windows API Imports To harden itself against   \n",
       "39                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   3.2 Windows API Imports To harden itself against static analysis, Panda avoids importing   \n",
       "40                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   harden itself against static analysis, Panda avoids importing Windows API functions directly. Instead, it uses LoadLibrary and parses the export directory of libraries.   \n",
       "41                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   LoadLibrary and parses the export directory of libraries. It creates a CRC32 hash of each export name and compares it to a hardcoded CRC32 of the name of the desired import. If the two match, the function address from the export directory of the library is used. In case of forwarded exports Panda reverts to import the function   \n",
       "42                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                forwarded exports Panda reverts to import the function by using the GetProcAddress API. A simplified pseudo code of the import function is shown in listing 3.1. The actual   \n",
       "43                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           function is shown in listing 3.1. The actual implementation is a bit more complicated, but this should give an overview of how it works. There are exceptions however. It seems that some imports are, by accident, left in the binary. Fortunately, this includes functions like LoadLibrary and GetProcAddress   \n",
       "44                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   Fortunately, this includes functions like LoadLibrary and GetProcAddress which lowered the difficulty of   \n",
       "45                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  LoadLibrary and GetProcAddress which lowered the difficulty of the static analysis since we were able to determine the import function shortly after the start of the analysis. Also, calls to the Heap* func- tions (Alloc, Free, ReAlloc, Create, Destroy) and also a single call to Sleep are not imported using the custom import functions. 3.3 Crypted Strings Most strings an analyst might come across during the analysis process are encrypted. This hinders an analyst from using strings to determine the purpose of some functions. 3.4 Cryptography 11 struct cryptEntry { char key; char unused; short length; const char*   \n",
       "46                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  char key; char unused; short length; const char* data; } Listing 3.2: The   \n",
       "47                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         length; const char* data; } Listing 3.2: The layout of an entry in   \n",
       "48                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      Listing 3.2: The layout of an entry in the list of encrypted strings.   \n",
       "49                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         an entry in the list of encrypted strings. Panda decrypts the strings on the fly whenever a string   \n",
       "50                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      the strings on the fly whenever a string is needed. The decryption routine for the i-th string is rather simple: 𝑜𝑢𝑡𝑝𝑢𝑡[𝑝𝑜𝑠] = 𝑝𝑜𝑠⊕𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑑𝑎𝑡𝑎[𝑝𝑜𝑠]⊕∼𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑘𝑒𝑦   \n",
       "51                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    i-th string is rather simple: 𝑜𝑢𝑡𝑝𝑢𝑡[𝑝𝑜𝑠] = 𝑝𝑜𝑠⊕𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑑𝑎𝑡𝑎[𝑝𝑜𝑠]⊕∼𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑘𝑒𝑦 All encrypted strings are referenced   \n",
       "52                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          𝑜𝑢𝑡𝑝𝑢𝑡[𝑝𝑜𝑠] = 𝑝𝑜𝑠⊕𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑑𝑎𝑡𝑎[𝑝𝑜𝑠]⊕∼𝑐𝑟𝑦𝑝𝑡𝑒𝑑𝑆𝑡𝑟𝑖𝑛𝑔𝑠[𝑖].𝑘𝑒𝑦 All encrypted strings are referenced in a large static array   \n",
       "53                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        strings are referenced in a large static array of structures in the read- only section of the binary. Each entry is a structure of type cryptEntry (see listing 3.2) which consists of the key character, the length of the encrpyted string, and a   \n",
       "54                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  the length of the encrpyted string, and a pointer to the actual encrypted   \n",
       "55                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  string, and a pointer to the actual encrypted string. The decryption function then takes the index of the   \n",
       "56                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              decryption function then takes the index of the to-be- decrypted string in the array of structs, extracts the   \n",
       "57                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               string in the array of structs, extracts the key, length, and string pointer   \n",
       "58                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     structs, extracts the key, length, and string pointer from it and than decrypts the strings into a given buffer. Depending on how this   \n",
       "59                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     into a given buffer. Depending on how this function is used, it either   \n",
       "60                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            on how this function is used, it either decrypts the strings onto the stack (if the function is   \n",
       "61                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  strings onto the stack (if the function is directly called) or the string   \n",
       "62                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       the function is directly called) or the string is encrypted into the heap if any of the intermediate   \n",
       "63                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     into the heap if any of the intermediate function is called. During the analysis we used the IDAPython plugin idaemu (frontend for UnicornEngine for use in IDA Pro) to emulate the encryption function for all possible string indexes and annotated the IDA database accordingly. 3.4 Cryptography 3.4.1 Random Numbers InsteadofusingWinAPIfunctionstogeneraterandomnumbers,PandausestheMersenne Twister MT 19937 to generate random numbers. Panda   \n",
       "64                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Twister MT 19937 to generate random numbers. Panda provides internal API functions to generate single numbers or buffers with support for upper and   \n",
       "65                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                numbers or buffers with support for upper and lower bounds for the numbers. 3.4.2 Cryptography Additionally, Panda uses a set of cryptographic algorithms to encrypt and hash sensitive data to prevent analysis and manipulation of the data. For example, Panda encrypts almost all settings and configuration values in memory. The algorithms used are AES and RC4. Both of them are used either with a hardcoded or with a dynamic key (which isgeneratedduringthefirstrunofthemalware). Interestingly, bothAESandRC4share the same dynamic binary key material. RC4 (static key) ∙ parts of the basic   \n",
       "66                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    RC4 (static key) ∙ parts of the basic config that are double encrypted 3.4 Cryptography 12 ∙ PeSettings in the extended file attributes   \n",
       "67                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               12 ∙ PeSettings in the extended file attributes of the malware executable (see sec- tion 4.2.2) ∙ object name generation (RC4 is used for scrambling there, no cryptographic   \n",
       "68                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           (RC4 is used for scrambling there, no cryptographic purpose) ∙ encrypted data in   \n",
       "69                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  there, no cryptographic purpose) ∙ encrypted data in dynamic config (e.g. backconnect IPs   \n",
       "70                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               encrypted data in dynamic config (e.g. backconnect IPs and ports for Vnc and   \n",
       "71                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  (e.g. backconnect IPs and ports for Vnc and Socks) RC4 (dynamic key) ∙ local settings (see section 4.2.4)   \n",
       "72                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               (dynamic key) ∙ local settings (see section 4.2.4) ∙ report data that is temporarily stored on disk until it is submitted to the command-and-control server AES (static key)   \n",
       "73                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 submitted to the command-and-control server AES (static key) ∙ base config decryption (see   \n",
       "74                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            AES (static key) ∙ base config decryption (see section 4.2.1) ∙ internal public   \n",
       "75                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            config decryption (see section 4.2.1) ∙ internal public key decryption ∙ decryption of delay-loaded binary modules ∙ communication with command-and-control server AES (dynamic   \n",
       "76                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        modules ∙ communication with command-and-control server AES (dynamic key) ∙ registry data (dynamic config, local config; see section 4.2.3 and 4.2.2) 3.4.3 Hashing   \n",
       "77                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           config; see section 4.2.3 and 4.2.2) 3.4.3 Hashing Aside from encrypting data, Panda also uses some cryptographic hash functions. SHA256 ∙ DGA hostname generation (see section 4.4) ∙ bot ID (see section 4.1) ∙ object name generation ∙ integrity check of AES encrypted data sent by the command-and-control   \n",
       "78                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 of AES encrypted data sent by the command-and-control server SHA1 ∙ signature verification   \n",
       "79                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             by the command-and-control server SHA1 ∙ signature verification of the binary module data sent by the command-and- control server 4 Configuration 4.1 Bot ID To be able to track and control each malware instance in the botnet, Panda generates a unique bot id. The bot id is a 32-byte hex string that can   \n",
       "80                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                id is a 32-byte hex string that can be described as 𝐵𝑜𝑡𝐼𝐷 ←   \n",
       "81                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                string that can be described as 𝐵𝑜𝑡𝐼𝐷 ← 𝐻𝑒𝑥𝑆𝑡𝑟𝑖𝑛𝑔(𝑆𝐻𝐴256(𝑐𝑜𝑚𝑝𝑢𝑡𝑒𝑟𝑁𝑎𝑚𝑒||𝑖𝑛𝑠𝑡𝑎𝑙𝑙𝐷𝑎𝑡𝑒||𝑝𝑟𝑜𝑑𝑢𝑐𝑡𝐼𝑑||𝑣𝑒𝑟𝑠𝑖𝑜𝑛𝐼𝑛𝑓𝑜)) where computerName local computer name, fallback to ”unknown” if error in GetComputerNameW installDate contentofregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\InstallDate productId CRC32sumofthecontentoftheregistrykeyHKLM\\Software\\Microsoft\\Windows NT\\Current Version\\DigitalProductId; fallback to 0 if failed getting key value versionInfo CRC32 sum of OSVERSIONINFOEXW where everything from (and including) szCS- DVersion is zeroed out (szCSDVersion, wServicePackMajor, wServicePackMinor, wSuiteMask,wProductType,wReserved);fallbacktoCRC32sumof sizeof(OSVERSIONINFOEXW) zeroes Apart from identifying the bot, the bot id is also used as part of the algorithm that generates kernel object names (mutexes, window class names, event names, etc). 4.2 Configuration Panda uses three different types of configurations: base, local, and dynamic. Each type of config has its own special purpose and is not available through static analysis – except for the base config. 4.2.1 Base Config Fortheinitialconfigurationandthefirstconnectionstothecommand-and-controlserver, Panda contains a static base config with default settings for the most important confi- guration values. This includes the following values: 4.2 Configuration 14 dwDelayConfig delay in minutes how long to wait until malware starts to get the initial dynamic config dwRc4KeyLength length of the binary RC4 key szwDGAConfigUrls list of URLs suffixes   \n",
       "82                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             binary RC4 key szwDGAConfigUrls list of URLs suffixes for the DGA (see section   \n",
       "83                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      of URLs suffixes for the DGA (see section 4.4) rc4Key binary RC4 key,   \n",
       "84                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            DGA (see section 4.4) rc4Key binary RC4 key, used to encrypt the PeSettings dwDGAConfigUrlsLength length of szwDGAConfigUrls szwInitialCnCHosts   \n",
       "85                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            encrypt the PeSettings dwDGAConfigUrlsLength length of szwDGAConfigUrls szwInitialCnCHosts an encrypted, null-separated list of   \n",
       "86                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    of szwDGAConfigUrls szwInitialCnCHosts an encrypted, null-separated list of strings for initial command-and-control do-   \n",
       "87                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               null-separated list of strings for initial command-and-control do- mains dwWaitAfterProcessInfection delay in minutes how long to wait for the core process to be initialized dwCnCUrlCount number of command-and-control domains in szwInitialCncHosts dwCheckConfigDelay delay in minutes for next dynamic config check 4.2.2 Local Config (PeSettings) The local config the data that is shared by all instances of the Panda malware on the local system and is generated only once at the first start of the malware and is then persisted in the malware executable using Extended File Attributes. The values of the PeSettings structure are as follows: dwStructSize the size of the structure szwBotId the ID of the bot that is used to identify the client against the backend server (see section 4.1) guid theGUIDofthelocalsystem; ifthemalwareisexecutedagainafterthefirststart,it recalculatestheguidandchecksifitmatchestheonefromthePeSettings. Ifthisis not the case, Panda aborts its execution. This can be used to check if the malware wasmovedtoanotherPCafteritwasstartedonce(e.g. copyingapersistedsample 4.2 Configuration 15 of the malware from a victim’s computer to an analysis environment of a malware analyst) rc4BinKey this RC4 key is   \n",
       "88                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      a malware analyst) rc4BinKey this RC4 key is used to encrypt all data   \n",
       "89                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              RC4 key is used to encrypt all data that goes to the registry   \n",
       "90                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          encrypt all data that goes to the registry keys (e.g. a backup of   \n",
       "91                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  to the registry keys (e.g. a backup of the currently used dynamic config)   \n",
       "92                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a backup of the currently used dynamic config) dwInfectionId a random number identifying the current infection szwCoreFile, szwReportFile, szwDynConfigFile, szwLocalConfigFile files on the local filesystem; szwCoreFile is the name of the malware executable; szwReportFile contains the path to the file where Panda temporarily stores the report data until they are sent to the   \n",
       "93                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                report data until they are sent to the server; szwDynConfigFile points to the file where the dynamic config   \n",
       "94                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 points to the file where the dynamic config is backed up on the filesystem; szwLocalConfigFile contains the file where the local config is   \n",
       "95                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 contains the file where the local config is stored regKey a random registry key name regDynamicConfig thenameoftheregistrykeythatcontainsthebackupofthecurrentdynamicconfig regLocalConfig   \n",
       "96                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       a random registry key name regDynamicConfig thenameoftheregistrykeythatcontainsthebackupofthecurrentdynamicconfig regLocalConfig the name of the registry key containing a backup of   \n",
       "97                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       of the registry key containing a backup of the local PeSettings regLocalSettings the   \n",
       "98                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             a backup of the local PeSettings regLocalSettings the name of the registry key   \n",
       "99                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             PeSettings regLocalSettings the name of the registry key that is used to store   \n",
       "100                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   the registry key that is used to store the local settings into (e.g. IDs of socks and VNC modules) 4.2.3 Dynamic Config ThefirstthingPandadoesafterinitializingandinjectingintoitsrun-timehostprocessis   \n",
       "101                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        socks and VNC modules) 4.2.3 Dynamic Config ThefirstthingPandadoesafterinitializingandinjectingintoitsrun-timehostprocessis to download a dynamic config from its command-and-control server. This   \n",
       "102                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         a dynamic config from its command-and-control server. This configuration is created by the command-and-control server on demand and can change at any time. This allows the malware operator to maintain his control capabillity even in the event that the static configured command and control server is shut down. But especially the dynamic configuration is interesting for malware analysts because it contains the URLs and/or IP addresses of the ATS server(s). Panda uses its built-in JSON parser to parse the dynamic configuration. The malware makes use of the following values: created the creation date of the config; used to check if the downloaded one is newer than the local one botnet the name of the botnet the client is part of 4.2 Configuration 16 check_config time in seconds when to check for the next dynamic config send_report time in seconds when to send the next system report check_update time in seconds when to check for the next client update url_config the url from where to download the next dynamic config url_webinjects the url from where to download the webinjects url_update the url for the bot update url_plugin_vnc32 the url for the VNC32 module url_plugin_vnc64 the url for the VNC64 module url_plugin_vnc_backserver the URL/IP address where the VNC module should connect to url_plugin_grabber the url for the http grabber module url_plugin_backsocks the url for the   \n",
       "103                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       http grabber module url_plugin_backsocks the url for the backconnect socks proxy module url_plugin_backsocks_backserver the URL/IP address where the socks backconnect proxy should connect to reserved encrypted data, from the context of the use   \n",
       "104                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                encrypted data, from the context of the use of the data it seems that this is a list of fallback URLs for the download of the dynamic config (see section 4.4) grabber_pause time in minutes how long to wait until starting the grabber module There are some additional configuration values that can be provided which are not directly used by the sample, but probably used in one of the modules: grab_softlist/grab_pass/grab_form/grab_cert/grab_cookie/grab_del_cookie/grab_del_cache flags denoting whether the grabber module should grab specific data or to delete some data (cookies, cache)   \n",
       "105                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          data or to delete some data (cookies, cache) 4.2 Configuration 17 dgaconfigs the   \n",
       "106                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        data (cookies, cache) 4.2 Configuration 17 dgaconfigs the url for the DGA config file; the DGA config file contains a list of URL suffixes which are appended to a generated string from where the bot will try to   \n",
       "107                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             string from where the bot will try to download the next dynamic configuration   \n",
       "108                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        will try to download the next dynamic configuration webfilters a list of URL masks where Panda can take special actions (see section 5.7) webinjects URLs, payloads, and location descriptions for the webinjects 4.2.4 Local Settings Additionally, Panda stores some run-time settings in a structure called LocalSettings by themalwareauthors. Thesesettingsarenotmeanttocontrolthebehaviourofthebot,it is more like a temporary data store of values that are client specific and need to be kept even after the malware is restarted (e.g. because of a system reboot). The structure contains the following values: dwModuleStartFlags bitmap denoting which of the modules has been started dwGrabberFlags bitmap denoting   \n",
       "109                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   the modules has been started dwGrabberFlags bitmap denoting which of the http grabber features has been enabled dwPandaAntivirusFound set to 1 if Panda   \n",
       "110                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               been enabled dwPandaAntivirusFound set to 1 if Panda Antivirus was found, changes the behaviour of the bot update dwHashSet bitmap denoting which of the hashes has been set szConfigId,szWebinjectsId,szUpdateId,szGrabberId,szVnc32Id,szVnc64Id,szBack- socksId 65-byte buffers to store the hashes of the respective files/modules dwCurrentUrlIdx the index of the currently used update URL in the list fallback URLs dwUrlRetryCount the retry count of the URL specified by dwCurrentUrlIdx; maximum value is set in the base config wBacksocksBackserverPort the port of the server   \n",
       "111                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               base config wBacksocksBackserverPort the port of the server of the backconnect socks proxy wVncBackserverPort the port of the server of the backconnect vnc   \n",
       "112                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                port of the server of the backconnect vnc module 4.3 Bot Update 18 4.3 Bot Update Oncepersistedinthevictim’ssystem,Pandaisabletoupdatethemalwareexecutableby itsown. Intheusualcase,Pandathereforedownloadsthenewexecutabletoatemporary file. The file is located in the directory returned by GetTempPathW. The name of the file is of the form updXXXXXXXX.exe where XXXXXXXX is the hexadecimal representation of a 4-byte random number. After writing the file and applying the PeSettings to the Extended File Attributes, the ”update” is executed using CreateProcessW with -f as an argument flag. This triggers the ”update” functionality of the bot so that all necessary settings are copied over to the new executable. In the case of having Panda Antivirus present in the system, Panda overwrites the old malware executable in place and directly copies over the local settings instead of creating and executing a temporary file. 4.4 Configuration Update One of the first things Panda does after initializing itself and persisting in the system   \n",
       "113                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 after initializing itself and persisting in the system is to download a dynamic configuration from the command-and-control server. To do so, Panda’s base   \n",
       "114                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               the command-and-control server. To do so, Panda’s base configuration (see section 4.2.1) contains a list of URLs from where to get the initial dynamic configuration. If the command-and-control server is already taken down at the time of checking, Panda cannot download a dynamic configuration and fails to exfiltrate any information. It still hooks all functions and gathers data   \n",
       "115                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         It still hooks all functions and gathers data (keystrokes, etc) but these information will never leave the system   \n",
       "116                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   but these information will never leave the system until the bot is able   \n",
       "117                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        leave the system until the bot is able to download a (new) dynamic   \n",
       "118                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           bot is able to download a (new) dynamic configuration. The download routine for   \n",
       "119                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      a (new) dynamic configuration. The download routine for the dynamic configuration uses three different ways to get a   \n",
       "120                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             configuration uses three different ways to get a dynamic configuration. First, it tries to get a dynamic configuration file from the URL provided in url_config in the old dynamic config. Of course, this only works if Panda already received a dynamic config once. If it did not receive a dynamic config at that point, it tries to get a configuration file from each of the command-and-control domains of the base config. In case Panda is not able to download the dynamic config using the URL from the url_config field and the fallback command-and-control hosts (the malware allows for 5 failed retries for each of the domains), Panda takes   \n",
       "121                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 retries for each of the domains), Panda takes the encrypted data from the   \n",
       "122                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        domains), Panda takes the encrypted data from the reserved field, decrypts it, and   \n",
       "123                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         data from the reserved field, decrypts it, and tries to download a dynamic config from one of the   \n",
       "124                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              download a dynamic config from one of the URLs of that data. If Panda is still not able to get a dynamic config at that point, it uses a domain generation algorithm to generate a possible hostname. Therefore, it takes the current system timestamp and modifies it a way that it stays the same for three days (set msec, sec, minute, hour to zero and subtract (𝑑𝑎𝑦𝑂𝑓𝑀𝑜𝑛𝑡ℎ mod 3) * 𝑠𝑒𝑐𝑠𝑃𝑒𝑟𝐷𝑎𝑦 seconds from it). Then, Panda takes the   \n",
       "125                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         𝑠𝑒𝑐𝑠𝑃𝑒𝑟𝐷𝑎𝑦 seconds from it). Then, Panda takes the built-in RC4 key to initialize   \n",
       "126                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         Panda takes the built-in RC4 key to initialize a RC4 state and xores the timestamp onto it (first 8 bytes xor with plain timestamp, second 8 bytes with binary inverted timestamp) and calculates   \n",
       "127                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              8 bytes with binary inverted timestamp) and calculates the SHA256 sum of the   \n",
       "128                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          timestamp) and calculates the SHA256 sum of the RC4 state. The result is then converted to a hex   \n",
       "129                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               The result is then converted to a hex string and is used as   \n",
       "130                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    to a hex string and is used as the first part of the generated domain. The 4.4 Configuration Update 19 second part of the domain is one of the domain suffixes from the base config and looks like ”XX.tld/filename.ext” for the sample I analyzed. But the suffix can change and is not bound to any special requirements except for that it needs to make a valid domain from the generated name. 5 Payload and Persistence 5.1 Persistence As part of the initialization procedure, Panda tries to persist in the following manner: First, it finds a suitable folder for the malware executable to reside in. In our case, it chose %APPDATA%\\Sun\\Java. It then moved the malware executable from the desktop to that folder and renamed it to Desktop (Create Shortcut).exe. Panda also creates threeextrafileswithrandomfileextensionswhichwillbelaterusedtotemporarilystore data. After moving the malware executable to the new folder, Panda adds a new value   \n",
       "131                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   the new folder, Panda adds a new value to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key.This en- sures that the malware is executed each time the   \n",
       "132                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   that the malware is executed each time the infected user logs into the system. Additionally, it writes the initial PeSettings to Desktop (Create Shortcut).exe (see section 4.2.2). 5.2   \n",
       "133                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 to Desktop (Create Shortcut).exe (see section 4.2.2). 5.2 HTTP Grabber and Injector Since   \n",
       "134                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        section 4.2.2). 5.2 HTTP Grabber and Injector Since Panda is a banking trojan, its main purpose is to steal money from a victim’s bank account and to grab login credentials for the bank accounts (and possibly other web services) wherever possible. A crucial part of its activity therefore is to intercept the web traffic of the victim’s web browser(s) and to manipulate the content of the web page that is displayed in the browser. In order to achieve these goals Panda uses process   \n",
       "135                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           order to achieve these goals Panda uses process injection (section 5.3) and API   \n",
       "136                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         Panda uses process injection (section 5.3) and API hooking (section 5.4). To know   \n",
       "137                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      5.3) and API hooking (section 5.4). To know which web pages should be manipulated, Panda receives a list of URL masks and corresponding inject data. The inject data   \n",
       "138                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         masks and corresponding inject data. The inject data consist of the actual inject   \n",
       "139                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    The inject data consist of the actual inject (script inclusion from attacker-controlled web server) and a description of the position where the inject   \n",
       "140                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        a description of the position where the inject has to be placed in   \n",
       "141                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               where the inject has to be placed in the website. The included script is actually only a loader that loads the second stage   \n",
       "142                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        only a loader that loads the second stage of the inject which then   \n",
       "143                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 the second stage of the inject which then communicates with the Panda web backend and does further modifications to the web page. But there is a problem: today’s web browser implement a feature called content- security policy. With (one of) the CSP header(s) sent by the web server, a website owner can tell the browser in detail, from where to load e.g. additional JavaScript code. Correctly configured, this hinders Panda to retrieve the second stage loader because it is loaded from a different web server. But since Panda is a man-in-the-browser malware, it can remove those headers from the server response and the browser will retrieve the loader. Additionally,PandaremovestheTEandIf-Modified-Sinceheadersfromtherequest if the hijacked process is either Firefox or Chrome. This has two implications: web 5.2 HTTP Grabber and Injector 21 servers will never send responses that have another transfer encoding than chunked (or no transfer encoding at all) and the server will always send a response that contains a   \n",
       "144                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  will always send a response that contains a HTTP response body. If Panda   \n",
       "145                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  that contains a HTTP response body. If Panda would not remove the If-Modified-Since header, a web server might send a response with a 304 status code and no response body content. Usually, this instructs the browser to use a cached version of the web page because the pagecontentdidnotchangesincethelastrequest(thetimeofthelastrequestisspecified intheIf-Modified-Sinceheaderfield). ButsincePandainterceptswebtrafficbetween the raw socket and the handling of the browser, it cannot inject the malicious code into the response body because the web server never sent some. So, Panda must ensure that the web server sends a response body to be able to execute its injects. This can be achieved by removing the If-Modified-Since header and thereby simulating a fresh request to the web server. Another thing Panda needs to take care of is Accept-Encodings. If the web server sends encoded data (e.g. gzip’ed),   \n",
       "146                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               the web server sends encoded data (e.g. gzip’ed), Panda will need to decode   \n",
       "147                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            data (e.g. gzip’ed), Panda will need to decode it to be able to analyze the response and maybe   \n",
       "148                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     be able to analyze the response and maybe inject code. To avoid this, Panda simply changes (or adds) the Accept-Encoding request header to contain only identity which tells the web server to only send plain responses without any encoding at all. SincePandausesURLmaskstodetectwhichpagesitshouldinjectcodeinto, itmight happenthatthemasksmatchpagesthatdonotcontainvalidHTMLdata(e.g. pictures, documents). In order to avoid those files, Panda checks the server response for specific Content-Types. Only if a valid content type is specified in the response header Panda   \n",
       "149                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  type is specified in the response header Panda tries to find injection points in the data. Valid content   \n",
       "150                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      find injection points in the data. Valid content types are: ∙ text/ ∙ application/x-javascript ∙ application/javascript ∙ application/xml ∙ application/xhtml+xml ∙ application/octet-stream ∙ application/json Panda does not only inject data into web pages, it already grabs data at that point. If Panda finds any Authentication headers in the request, it checks for basic authentication and extracts username and password from it and adds it to the report. Additionally, Panda can extract all request data from GET and POST requests and reports them to the command-and-control server. For a more detailed analysis on how the actual webinjects work and what the com- munication with the ATS looks like, please see our blogposts by Manuel Körber-Bilgard 1 2 and Karsten Tellmann 1 https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/ 2 https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/ 5.3 Process Injection 22 5.3 Process Injection To apply its hooks, Panda needs to be part of each specific process space it wants to hook the functions in. In order to inject itself into the   \n",
       "151                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     in. In order to inject itself into the right process, Panda checks if   \n",
       "152                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       itself into the right process, Panda checks if the current targeted process fulfills some requirements: ∙ targeted process id ̸= current process id   \n",
       "153                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     ∙ targeted process id ̸= current process id (→ avoid injecting into its own process) ∙ targeted process owner = current process owner   \n",
       "154                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      ∙ targeted process owner = current process owner (→ avoid permission violation) ∙ the targeted process name must be one of: firefox.exe, chrome.exe, iexplore.exe, panda.exe, MicrosoftEdge.exe, or MicrosoftEdgeCP.exe If all of those requirements   \n",
       "155                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             MicrosoftEdge.exe, or MicrosoftEdgeCP.exe If all of those requirements are given, Panda injects itself into the process. This is done by allocating a virtual   \n",
       "156                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       process. This is done by allocating a virtual memory buffer of sufficient size in the target process using VirtualAllocEx. It then needs to relocate the copied binary because the old module base is most probably not the same it is in the remote one. If the relocation succeeded, Pandawritesitselfintothatfreshlyallocatedmemorysection. Afterwards, Pandacopies over run-time data that has been modified by the infecting process during initialization and which is needed   \n",
       "157                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       infecting process during initialization and which is needed by the injected code. After Panda successfully wrote all data into the address space of   \n",
       "158                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          wrote all data into the address space of the targeted process, it creates a thread in this process. The thread continues to install the hooks and all execute all other necessary functions. 5.4   \n",
       "159                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            and all execute all other necessary functions. 5.4 API Hooking Technique Asdescribedinsections5.5.1,5.5.2,5.5.3,and5.5.4,Pandausesahot-patchlikefunction overriding method to hook its desired   \n",
       "160                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  Technique Asdescribedinsections5.5.1,5.5.2,5.5.3,and5.5.4,Pandausesahot-patchlikefunction overriding method to hook its desired functions. Therefore, Panda overwrites the first 5 bytesofthefunctiontocontainajumptoitshookfunction. BecausePandaneedstocall the original function after doing its work in the hook function, it saves the overwritten instructions in a temporary buffer. For this purpose Panda has a   \n",
       "161                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    temporary buffer. For this purpose Panda has a built-in instruction length decoder. It   \n",
       "162                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       Panda has a built-in instruction length decoder. It then redirects the internal function resolver cache to point to   \n",
       "163                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           the internal function resolver cache to point to that area (a so-called trampoline). Probably Panda does this to prevent an infinite recursion when the hook calls the hooked function. Interestingly, Panda searches it’s own IAT for hooked functions. However, as Panda has replaced importing through the IAT with the import resolver function (for most functions including all hooked functions) this has no purpose. 5.5 Hooks and Browser Manipulation   \n",
       "164                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  has no purpose. 5.5 Hooks and Browser Manipulation After Panda successfully injected into its target processses (see section 5.3), it starts hooking all   \n",
       "165                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                processses (see section 5.3), it starts hooking all necessary functions to provide banking trojan capabillities. The detailed technique is described in section 5.4 so this section focuses on the individual browser and how Panda implements its malicious activities. 5.5 Hooks and Browser Manipulation 23 Figure 5.1: Flowgraph of the process infection thread. 5.5.1 Internet Explorer Since Internet Explorer is a browser made by Microsoft, it vastly depends on   \n",
       "166                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   browser made by Microsoft, it vastly depends on functions from the Windows API and has no dependencies on third-party DLLs that need to   \n",
       "167                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   no dependencies on third-party DLLs that need to be considered when hooking Internet Explorer. The actual hooks are done by overwriting some bytes in the function prologue (see section 5.4). The list of functions hooked by Panda is   \n",
       "168                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           The list of functions hooked by Panda is as follows: ∙ wininet!HttpSendRequestW ∙ wininet!HttpSendRequestA ∙ wininet!HttpSendRequestExW ∙ wininet!HttpSendRequestExA ∙ wininet!InternetReadFile ∙ wininet!InternetReadFileExW ∙   \n",
       "169                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          wininet!HttpSendRequestExW ∙ wininet!HttpSendRequestExA ∙ wininet!InternetReadFile ∙ wininet!InternetReadFileExW ∙ wininet!InternetReadFileExA 5.5 Hooks and Browser Manipulation 24 ∙ wininet!InternetQueryDataAvailabe ∙ wininet!InternetCloseHandle ∙ wininet!HttpOpenRequestW ∙ wininet!HttpOpenRequestA ∙ wininet!HttpQueryInfoA ∙ wininet!InternetConnectW ∙ wininet!InternetConnectA ∙ wininet!InternetWriteFile Additionally,Pandadisablesthephishingfiltertoavoidtriggeringitwiththewebinjects, through   \n",
       "170                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   ∙ wininet!InternetConnectW ∙ wininet!InternetConnectA ∙ wininet!InternetWriteFile Additionally,Pandadisablesthephishingfiltertoavoidtriggeringitwiththewebinjects, through modifying the following registry keys: ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet   \n",
       "171                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 following registry keys: ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV8 ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV9 And   \n",
       "172                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Explorer\\PhishingFilter\\Enabled ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV8 ∙ HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter\\EnabledV9 And it sets several internet zone policies to allow in order to get access to cookies and enable cross site script includes: ∙ URLACTION_CROSS_DOMAIN_DATA ∙ URLACTION_HTML_MIXED_CONTENT ∙ URLACTION_COOKIES ∙ URLACTION_COOKIES_ENABLED ∙ URLACTION_COOKIES_SESSION ∙ URLACTION_COOKIES_THIRD_PARTY ∙ URLACTION_COOKIES_SESSION_THIRD_PARTY And finally it disables the “bad certificate” warning by modifying   \n",
       "173                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             it disables the “bad certificate” warning by modifying the registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WarnonBadCertRecving   \n",
       "174                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    warning by modifying the registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WarnonBadCertRecving 5.5 Hooks and Browser Manipulation 25 5.5.2 Mozilla Firefox As described in section 5.5.3, Firefox uses a dynamically linked NSPR4.dll. This lowers the bounds for the malware to hook all necessary functions. Panda hooks the functions PR_Close, PR_Read, PR_Write, and PR_Poll by overwriting some bytes in the function prologue like it does for all Windows API hooks (see section 5.4). Similarly to Internet Explorer, Panda modifies the user preferences the better fit the needs of the malware. In the case of Firefox, it walks through the profiles directory of Firefox’s settings directory (%APPDATA%\\Mozilla\\Firefox) and sets the following user preferences to false: ∙ privacy.clearOnShutdown.cookies ∙ security.warn_viewing_mixed ∙ security.warn_viewing_mixed.show_once ∙ security.warn_submit_insecure ∙ security.warn_submit_insecure.show_once ∙ security.warn_entering_secure ∙ security.warn_entering_weak ∙ security.warn_leaving_secure ∙ network.http.spdy.enabled ∙ network.http.spdy.enabled.v2 ∙ network.http.spdy.enabled.v3 5.5.3 Google Chrome Hooking Google’s Chrome browser is different compared to Firefox or Internet Explorer, because Chrome uses functions from both the   \n",
       "175                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Explorer, because Chrome uses functions from both the Windows API and Mozilla’s NSPR4 li- brary. The Windows API functions are as described in section 5.4. The difference between   \n",
       "176                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  as described in section 5.4. The difference between hooking Firefox and Chrome is that Chrome has a statically linked nspr4.dll instead of a dynamically linked one like Firefox has. Unfortunately, this has the conse- quencethatoneisnotabletouseGetProcAddresstogettheaddressofthefunctionand tooverwritesomebytesatthataddress. However,Chromeinternallyusesaglobalstruct of function pointers pointing to the actual functions. A pointer to this struct is shipped with each connection that is made by the browser. Panda tries to find the global struct and overwrites the function pointers in that specific struct to hook Chrome’s NSPR4 functions. The list of hooked functions (including Window API function) is as follows: ∙ PR_Write (NSPR4 overwrite) 5.6 Plug-in ability 26 ∙ PR_Read (NSPR4 overwrite) ∙ PR_Close (NSPR4 overwrite) ∙ closesocket (WinAPI-Hook) ∙ WSARecv (WinAPI-Hook) ∙ WSASend (WinAPI-Hook) ∙ recv (WinAPI-Hook) 5.5.4 User Functions In addition to the MITB hooks, Panda can   \n",
       "177                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      In addition to the MITB hooks, Panda can also take screenshots, logs keyboard input, and watches for clipboard pastes. To be able to   \n",
       "178                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          watches for clipboard pastes. To be able to log keyboard input, Panda hooks TranslateMessage for each process it   \n",
       "179                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         input, Panda hooks TranslateMessage for each process it is injected into. It then checks each windows message for   \n",
       "180                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   into. It then checks each windows message for WM_KEYDOWN and logs the (unicode) character representation of the pressed   \n",
       "181                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  logs the (unicode) character representation of the pressed key. Additionally, Panda listens for WM_MOUSEBUTTONDOWN events and triggers a   \n",
       "182                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     Panda listens for WM_MOUSEBUTTONDOWN events and triggers a screenshot for each of the   \n",
       "183                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        and triggers a screenshot for each of the next 100 mouse clicks if   \n",
       "184                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                each of the next 100 mouse clicks if a corresponding webfilter was triggered previously (see section 5.7 for a descrip- tion of the webfilters). Additionally, Panda hooks GetClipboardData. Hooking this specific function allows the malware authors to capture passwords that are not typed by the user but instead are pasted into the form fields in the browser (e.g. because the passwords are saved in a file on disk or because the user uses a password manager). 5.6 Plug-in ability The Panda malware has the ability to dynamically load malware modules from web resources and to execute them in-place. This makes Panda a very flexible malware that can be retrofitted for other purposes. Technically, they re-implemented LoadLibrary without the need of having the actual library on disk. First, the malware allocates enough space for the loaded DLL in the virtual memory of its process using VirtualAlloc. Afterwards, Panda section-wise copiestheDLLintothepreviouslyallocatedblockofmemory. BecauseDLLsareposition independent, the third step is to relocate the sections. To achieve that, Panda walks through the relocation table (.reloc section) and resolves the required relocations by applying the   \n",
       "185                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   and resolves the required relocations by applying the base of the corresponding section   \n",
       "186                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          by applying the base of the corresponding section to it. Panda also needs to resolve the imports of the module. The list of imports can be shortly described as a \"what-where\" list. For each of the entries in the list, Panda uses LoadLibrary   \n",
       "187                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         the entries in the list, Panda uses LoadLibrary and GetProcAddress to resolve the   \n",
       "188                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 Panda uses LoadLibrary and GetProcAddress to resolve the address of the imported function   \n",
       "189                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       to resolve the address of the imported function and writes it to the corresponding entry in the list. Finally, it calls the DllMain   \n",
       "190                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         in the list. Finally, it calls the DllMain function of the loaded library to hand over control to   \n",
       "191                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         the loaded library to hand over control to the initialization function of the DLL. Panda uses this technique to dynamically load its HttpGrabber,   \n",
       "192                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      uses this technique to dynamically load its HttpGrabber, Socks proxy, and VNC server   \n",
       "193                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        load its HttpGrabber, Socks proxy, and VNC server modules into the current process   \n",
       "194                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                and VNC server modules into the current process space. 5.7 Webfilters 27 5.7 Webfilters Pandaimplementsafeaturethatiscalled“webfilters” bythemalwareauthors. Although, “filters” isnotthecorrecttermfrommypointofview. Consider!http://*microsoft.com* as an example for such a webfilter. The first character obviously does not belong to the actual URL although it should be clear that the exclamation mark stands for something like “not”. The position of the exclamation mark can be called “action” and is followed by the actual URL which can contain asterisks as placeholders for “any characters”. The full list of actions is as follows: P report request content if request type is POST ˆ block access to website and report the request content | (pipe symbol) during my analysis I was not yet able to determine what this is used for @ takes a screenshot (500x500   \n",
       "195                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          is used for @ takes a screenshot (500x500 pixels) on each of the   \n",
       "196                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    a screenshot (500x500 pixels) on each of the next 100 mouse clicks (at   \n",
       "197                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     each of the next 100 mouse clicks (at max) ! don’t write a report or analyze the data   \n",
       "198                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            don’t write a report or analyze the data # takes a screenshot (fullscreen) on each of the next   \n",
       "199                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   a screenshot (fullscreen) on each of the next 100 mouse clicks (at max)   \n",
       "200                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        of the next 100 mouse clicks (at max) % trigger the start of the VNC module (if not already started) & trigger the   \n",
       "201                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       module (if not already started) & trigger the start of the socks proxy module (if not already started) 5.8 Remote Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly.   \n",
       "202                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  not already started) 5.8 Remote Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly. Unfortunately, the script commands are   \n",
       "203                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Script Inadditiontotheautomaticinformationgathering,Pandaprovidesascript-likeinterface whereitcantakeseveralcommandsandperformsactionsonthevictim’sPCaccordingly. Unfortunately, the script commands are hashed using CRC32 before comparing   \n",
       "204                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 script commands are hashed using CRC32 before comparing to the list of handlers so that we were not able to tell the names of the commands. But nevertheless we were able to determine the purpose of the commands by looking at their respective handlers. The possible actions the remote script can trigger, are: set shutdown flag shutdown PC after the script finished set maintenance shutdown flag shutdown PC in “minor maintenance” mode 5.8 Remote Script 28 uninstall removes   \n",
       "205                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              maintenance” mode 5.8 Remote Script 28 uninstall removes the bot from the PC   \n",
       "206                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       28 uninstall removes the bot from the PC update bot (force) updates the binary executable of the bot update config (force) updates the bot’s dynamic configuration block or unblock webinjects allows for disabling or enabling certain webinjects list files matching a given path pattern searches the local file   \n",
       "207                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                a given path pattern searches the local file system for all files matching   \n",
       "208                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            the local file system for all files matching the pattern and adds the list to the report read files matching a given path pattern searchesthelocalfilesystemforallfilesmatchingthepatternandaddsthecontent of the files to the report remove a   \n",
       "209                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  of the files to the report remove a local file deletes a file from the local file system   \n",
       "210                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              deletes a file from the local file system execute remote file downloads and executes an arbitrary file block   \n",
       "211                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                file downloads and executes an arbitrary file block or unblock a given URL   \n",
       "212                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             arbitrary file block or unblock a given URL allows for blocking or unblocking a given URL so that the user can (or cannot) open the page in the browser enable HttpGrabber features grab passwords, forms, certificates, cookies (1+2), delete cookies (1+2), softlist, delete cache start VNC module (force)   \n",
       "213                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        (1+2), softlist, delete cache start VNC module (force) starts the VNC module start   \n",
       "214                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     VNC module (force) starts the VNC module start VNC module and set a flag in the local settings (force) start the VNC module and sets the appropriate flag in the local settings start socks module (force) starts the   \n",
       "215                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 local settings start socks module (force) starts the Socks proxy module start socks module and set a flag   \n",
       "216                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    module start socks module and set a flag in the local settings (force)   \n",
       "217                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             set a flag in the local settings (force) starts the Socks proxy module and sets the approriate flag in the local settings 5.9   \n",
       "218                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  the approriate flag in the local settings 5.9 System Report 29 5.9 System Report Each time Panda communicates with the command-and-control server, it sends status information about the   \n",
       "219                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     command-and-control server, it sends status information about the bot back to the command-and-control   \n",
       "220                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         information about the bot back to the command-and-control server. The exact informa- tion depend on the type of the message sent to the server. But there are five groups of information that can be sent: SYSINFO_TIME ∙ current   \n",
       "221                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     information that can be sent: SYSINFO_TIME ∙ current system time (UTC) SYSINFO_USER ∙   \n",
       "222                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          SYSINFO_TIME ∙ current system time (UTC) SYSINFO_USER ∙ the name of the process executable where the control process resides in ∙ the current system user SYSINFO_BOTVERSION ∙ bot ID ∙ the botnet the client is part of ∙ the version of the bot SYSINFO_OS ∙ system version (e.g. 6.1 for Windows 7) ∙ service pack number ∙ build id ∙ architecture (32/64 bit) ∙ server edition? ∙ default ui language SYSINFO_MISC ∙ network latency ∙ localized time ∙ computer name ∙ installed antivirus, antispyware, and firewall products 6 Conclusion Panda must be considered to be among the more advanced types of malware. The code basis is large and sports a number of features not found in less sophisticated malware. These features include extensive anti-analysis code and an advanced hooking framework in which Panda brings, among other things, its   \n",
       "223                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         in which Panda brings, among other things, its own instruction length decoder. The code seems to be mature and the quality of the   \n",
       "224                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    to be mature and the quality of the code appears to be above the average for malware. The main purpose of Panda is to serve as a bankning trojan. Therefore its author equipped the malware with sophisticated capabilities and supports all major browsers in the Windows ecosystem. However, Panda shows significant flexibility allowing it to be used for other malicous purposes. For example, Panda implements a modifiable configuration that can be changed at any time by the attacker. Additionally, Panda is able to spy on user activity, provides a remotely accessible scripting language, and has the abillity to load a VNC server and   \n",
       "225                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        the abillity to load a VNC server and a SOCKS proxy module to provide additional remote access features to the attacker. Thus, the   \n",
       "\n",
       "                                                                                       label(s)  \\\n",
       "0                                                                                            {}   \n",
       "1                                                                   {Process Injection - T1055}   \n",
       "2                                                                                            {}   \n",
       "3                                                                   {Process Injection - T1055}   \n",
       "4                                                                                            {}   \n",
       "5                                                     {Obfuscated Files or Information - T1027}   \n",
       "6                                                                                            {}   \n",
       "7                                                                     {Modify Registry - T1112}   \n",
       "8                     {Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}   \n",
       "9                                                                                            {}   \n",
       "10                    {Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}   \n",
       "11                                                                                           {}   \n",
       "12                                                    {Obfuscated Files or Information - T1027}   \n",
       "13                                                                                           {}   \n",
       "14                                                                         {Native API - T1106}   \n",
       "15                                                                                           {}   \n",
       "16                                                    {Obfuscated Files or Information - T1027}   \n",
       "17                                                                                           {}   \n",
       "18                                                                         {Native API - T1106}   \n",
       "19                                                                                           {}   \n",
       "20                    {Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}   \n",
       "21                                                                                           {}   \n",
       "22                                                                  {File Deletion - T1070.004}   \n",
       "23                                                          {Windows Command Shell - T1059.003}   \n",
       "24                    {Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}   \n",
       "25                                                                                           {}   \n",
       "26                                                                    {Modify Registry - T1112}   \n",
       "27                                                                                           {}   \n",
       "28                                                                {Windows Service - T1543.003}   \n",
       "29                                                                                           {}   \n",
       "30                                                                    {Modify Registry - T1112}   \n",
       "31                                                                                           {}   \n",
       "32                                                                    {Modify Registry - T1112}   \n",
       "33                                                                                           {}   \n",
       "34                                                                         {Native API - T1106}   \n",
       "35                                                                                           {}   \n",
       "36                                            {Deobfuscate/Decode Files or Information - T1140}   \n",
       "37                                                                                           {}   \n",
       "38                                                                         {Native API - T1106}   \n",
       "39                                                                                           {}   \n",
       "40                                                                         {Native API - T1106}   \n",
       "41                                                                                           {}   \n",
       "42                                                                         {Native API - T1106}   \n",
       "43                                                                                           {}   \n",
       "44                                                                         {Native API - T1106}   \n",
       "45                                                                                           {}   \n",
       "46                                                                         {Native API - T1106}   \n",
       "47                                                                                           {}   \n",
       "48                                                    {Obfuscated Files or Information - T1027}   \n",
       "49   {Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}   \n",
       "50                                            {Deobfuscate/Decode Files or Information - T1140}   \n",
       "51                                                                                           {}   \n",
       "52                                                    {Obfuscated Files or Information - T1027}   \n",
       "53                                                                                           {}   \n",
       "54                                                    {Obfuscated Files or Information - T1027}   \n",
       "55   {Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}   \n",
       "56                                            {Deobfuscate/Decode Files or Information - T1140}   \n",
       "57                                                                                           {}   \n",
       "58                                            {Deobfuscate/Decode Files or Information - T1140}   \n",
       "59                                                                                           {}   \n",
       "60                                            {Deobfuscate/Decode Files or Information - T1140}   \n",
       "61                                                                                           {}   \n",
       "62                                                    {Obfuscated Files or Information - T1027}   \n",
       "63                                                                                           {}   \n",
       "64                                                                         {Native API - T1106}   \n",
       "65                                                                                           {}   \n",
       "66                                                    {Obfuscated Files or Information - T1027}   \n",
       "67                                                                                           {}   \n",
       "68                                                    {Obfuscated Files or Information - T1027}   \n",
       "69                                                                                           {}   \n",
       "70                                                    {Obfuscated Files or Information - T1027}   \n",
       "71                                                        {Remote Desktop Protocol - T1021.001}   \n",
       "72                                                                                           {}   \n",
       "73                                            {Deobfuscate/Decode Files or Information - T1140}   \n",
       "74   {Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}   \n",
       "75                                            {Deobfuscate/Decode Files or Information - T1140}   \n",
       "76                                                                    {Modify Registry - T1112}   \n",
       "77                                                                                           {}   \n",
       "78                                                    {Obfuscated Files or Information - T1027}   \n",
       "79                                                                                           {}   \n",
       "80                                                    {Obfuscated Files or Information - T1027}   \n",
       "81                                                                                           {}   \n",
       "82                                                        {Remote Desktop Protocol - T1021.001}   \n",
       "83                                                                                           {}   \n",
       "84                                                    {Obfuscated Files or Information - T1027}   \n",
       "85                                                                                           {}   \n",
       "86                                                    {Obfuscated Files or Information - T1027}   \n",
       "87                                                                                           {}   \n",
       "88                           {Modify Registry - T1112, Obfuscated Files or Information - T1027}   \n",
       "89                                                                    {Modify Registry - T1112}   \n",
       "90                                                                                           {}   \n",
       "91                                                                    {Modify Registry - T1112}   \n",
       "92                                                                                           {}   \n",
       "93                                                       {Exfiltration Over C2 Channel - T1041}   \n",
       "94                                                                                           {}   \n",
       "95                    {Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}   \n",
       "96                                                                    {Modify Registry - T1112}   \n",
       "97                                                                                           {}   \n",
       "98                                                                    {Modify Registry - T1112}   \n",
       "99                    {Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}   \n",
       "100                                                                                          {}   \n",
       "101                                                             {Ingress Tool Transfer - T1105}   \n",
       "102                                                                                          {}   \n",
       "103                                                                             {Proxy - T1090}   \n",
       "104                                                                                          {}   \n",
       "105                        {File Deletion - T1070.004, Obfuscated Files or Information - T1027}   \n",
       "106                                                                                          {}   \n",
       "107                                                             {Ingress Tool Transfer - T1105}   \n",
       "108                                                                                          {}   \n",
       "109                                                                 {Web Protocols - T1071.001}   \n",
       "110                                                                                          {}   \n",
       "111                                                                             {Proxy - T1090}   \n",
       "112                                                                                          {}   \n",
       "113                                                             {Ingress Tool Transfer - T1105}   \n",
       "114                                                                                          {}   \n",
       "115                                                                    {Keylogging - T1056.001}   \n",
       "116                                                                                          {}   \n",
       "117                                                             {Ingress Tool Transfer - T1105}   \n",
       "118                                                                                          {}   \n",
       "119                                                             {Ingress Tool Transfer - T1105}   \n",
       "120                                                                                          {}   \n",
       "121                                                   {Obfuscated Files or Information - T1027}   \n",
       "122  {Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}   \n",
       "123                                           {Deobfuscate/Decode Files or Information - T1140}   \n",
       "124                                                                                          {}   \n",
       "125                                                       {Remote Desktop Protocol - T1021.001}   \n",
       "126                                                                                          {}   \n",
       "127                                                   {Obfuscated Files or Information - T1027}   \n",
       "128                                                                                          {}   \n",
       "129                                                   {Obfuscated Files or Information - T1027}   \n",
       "130                                                                                          {}   \n",
       "131                   {Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}   \n",
       "132                                                                                          {}   \n",
       "133                                                                 {Web Protocols - T1071.001}   \n",
       "134                                                                                          {}   \n",
       "135                                             {Native API - T1106, Process Injection - T1055}   \n",
       "136                                                                 {Process Injection - T1055}   \n",
       "137                                                                                          {}   \n",
       "138                                                                 {Process Injection - T1055}   \n",
       "139                                                                                          {}   \n",
       "140                                                                 {Process Injection - T1055}   \n",
       "141                                                                                          {}   \n",
       "142                                                                 {Process Injection - T1055}   \n",
       "143                                                                                          {}   \n",
       "144                                                                 {Web Protocols - T1071.001}   \n",
       "145                                                                                          {}   \n",
       "146  {Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}   \n",
       "147                                           {Deobfuscate/Decode Files or Information - T1140}   \n",
       "148                                                                                          {}   \n",
       "149                                                                 {Process Injection - T1055}   \n",
       "150                                                                                          {}   \n",
       "151                                                                 {Process Injection - T1055}   \n",
       "152                                                                                          {}   \n",
       "153                                                                 {Process Injection - T1055}   \n",
       "154                                                                                          {}   \n",
       "155                                                                 {Process Injection - T1055}   \n",
       "156                                                                                          {}   \n",
       "157                                                                 {Process Injection - T1055}   \n",
       "158                                                                                          {}   \n",
       "159                                                                        {Native API - T1106}   \n",
       "160                                                                                          {}   \n",
       "161                                                   {Obfuscated Files or Information - T1027}   \n",
       "162                                           {Deobfuscate/Decode Files or Information - T1140}   \n",
       "163                                                                                          {}   \n",
       "164                                                                 {Process Injection - T1055}   \n",
       "165                                                                                          {}   \n",
       "166                                                                        {Native API - T1106}   \n",
       "167                                                                                          {}   \n",
       "168                                                                 {Web Protocols - T1071.001}   \n",
       "169                                                                                          {}   \n",
       "170                   {Modify Registry - T1112, Registry Run Keys / Startup Folder - T1547.001}   \n",
       "171                                                                   {Modify Registry - T1112}   \n",
       "172                                                                                          {}   \n",
       "173                                                       {Disable or Modify Tools - T1562.001}   \n",
       "174                                                                                          {}   \n",
       "175                                                                        {Native API - T1106}   \n",
       "176                                                                                          {}   \n",
       "177                                                                    {Screen Capture - T1113}   \n",
       "178                                                                                          {}   \n",
       "179                                                                 {Process Injection - T1055}   \n",
       "180                                                {Windows Management Instrumentation - T1047}   \n",
       "181                                                                                          {}   \n",
       "182                                                                    {Screen Capture - T1113}   \n",
       "183                                                                {Malicious File - T1204.002}   \n",
       "184                                                                                          {}   \n",
       "185                                                   {Obfuscated Files or Information - T1027}   \n",
       "186                                                                                          {}   \n",
       "187                                  {File and Directory Discovery - T1083, Native API - T1106}   \n",
       "188                                                                        {Native API - T1106}   \n",
       "189                                                                                          {}   \n",
       "190                                                                        {Native API - T1106}   \n",
       "191                                                                                          {}   \n",
       "192                                                                 {Web Protocols - T1071.001}   \n",
       "193                                                  {Web Protocols - T1071.001, Proxy - T1090}   \n",
       "194                                                                                          {}   \n",
       "195                                                                    {Screen Capture - T1113}   \n",
       "196                                                                {Malicious File - T1204.002}   \n",
       "197                                                                                          {}   \n",
       "198                                                                    {Screen Capture - T1113}   \n",
       "199                                                                {Malicious File - T1204.002}   \n",
       "200                                                                                          {}   \n",
       "201                                                                             {Proxy - T1090}   \n",
       "202                                                                                          {}   \n",
       "203                                                   {Obfuscated Files or Information - T1027}   \n",
       "204                                                                                          {}   \n",
       "205                                                   {Obfuscated Files or Information - T1027}   \n",
       "206                                                                                          {}   \n",
       "207                                                      {File and Directory Discovery - T1083}   \n",
       "208                                                                                          {}   \n",
       "209                                                                 {File Deletion - T1070.004}   \n",
       "210                          {Windows Command Shell - T1059.003, Ingress Tool Transfer - T1105}   \n",
       "211                                                             {Ingress Tool Transfer - T1105}   \n",
       "212                                                                                          {}   \n",
       "213                                                                 {File Deletion - T1070.004}   \n",
       "214                                                                                          {}   \n",
       "215                                                                             {Proxy - T1090}   \n",
       "216                                                                                          {}   \n",
       "217                                                                             {Proxy - T1090}   \n",
       "218                                                                                          {}   \n",
       "219                                                      {Exfiltration Over C2 Channel - T1041}   \n",
       "220                                                                                          {}   \n",
       "221                                                      {Exfiltration Over C2 Channel - T1041}   \n",
       "222                                                                                          {}   \n",
       "223  {Deobfuscate/Decode Files or Information - T1140, Obfuscated Files or Information - T1027}   \n",
       "224                                                                                          {}   \n",
       "225                                                                             {Proxy - T1090}   \n",
       "\n",
       "                     name  \n",
       "0    panda-whitepaper.pdf  \n",
       "1    panda-whitepaper.pdf  \n",
       "2    panda-whitepaper.pdf  \n",
       "3    panda-whitepaper.pdf  \n",
       "4    panda-whitepaper.pdf  \n",
       "5    panda-whitepaper.pdf  \n",
       "6    panda-whitepaper.pdf  \n",
       "7    panda-whitepaper.pdf  \n",
       "8    panda-whitepaper.pdf  \n",
       "9    panda-whitepaper.pdf  \n",
       "10   panda-whitepaper.pdf  \n",
       "11   panda-whitepaper.pdf  \n",
       "12   panda-whitepaper.pdf  \n",
       "13   panda-whitepaper.pdf  \n",
       "14   panda-whitepaper.pdf  \n",
       "15   panda-whitepaper.pdf  \n",
       "16   panda-whitepaper.pdf  \n",
       "17   panda-whitepaper.pdf  \n",
       "18   panda-whitepaper.pdf  \n",
       "19   panda-whitepaper.pdf  \n",
       "20   panda-whitepaper.pdf  \n",
       "21   panda-whitepaper.pdf  \n",
       "22   panda-whitepaper.pdf  \n",
       "23   panda-whitepaper.pdf  \n",
       "24   panda-whitepaper.pdf  \n",
       "25   panda-whitepaper.pdf  \n",
       "26   panda-whitepaper.pdf  \n",
       "27   panda-whitepaper.pdf  \n",
       "28   panda-whitepaper.pdf  \n",
       "29   panda-whitepaper.pdf  \n",
       "30   panda-whitepaper.pdf  \n",
       "31   panda-whitepaper.pdf  \n",
       "32   panda-whitepaper.pdf  \n",
       "33   panda-whitepaper.pdf  \n",
       "34   panda-whitepaper.pdf  \n",
       "35   panda-whitepaper.pdf  \n",
       "36   panda-whitepaper.pdf  \n",
       "37   panda-whitepaper.pdf  \n",
       "38   panda-whitepaper.pdf  \n",
       "39   panda-whitepaper.pdf  \n",
       "40   panda-whitepaper.pdf  \n",
       "41   panda-whitepaper.pdf  \n",
       "42   panda-whitepaper.pdf  \n",
       "43   panda-whitepaper.pdf  \n",
       "44   panda-whitepaper.pdf  \n",
       "45   panda-whitepaper.pdf  \n",
       "46   panda-whitepaper.pdf  \n",
       "47   panda-whitepaper.pdf  \n",
       "48   panda-whitepaper.pdf  \n",
       "49   panda-whitepaper.pdf  \n",
       "50   panda-whitepaper.pdf  \n",
       "51   panda-whitepaper.pdf  \n",
       "52   panda-whitepaper.pdf  \n",
       "53   panda-whitepaper.pdf  \n",
       "54   panda-whitepaper.pdf  \n",
       "55   panda-whitepaper.pdf  \n",
       "56   panda-whitepaper.pdf  \n",
       "57   panda-whitepaper.pdf  \n",
       "58   panda-whitepaper.pdf  \n",
       "59   panda-whitepaper.pdf  \n",
       "60   panda-whitepaper.pdf  \n",
       "61   panda-whitepaper.pdf  \n",
       "62   panda-whitepaper.pdf  \n",
       "63   panda-whitepaper.pdf  \n",
       "64   panda-whitepaper.pdf  \n",
       "65   panda-whitepaper.pdf  \n",
       "66   panda-whitepaper.pdf  \n",
       "67   panda-whitepaper.pdf  \n",
       "68   panda-whitepaper.pdf  \n",
       "69   panda-whitepaper.pdf  \n",
       "70   panda-whitepaper.pdf  \n",
       "71   panda-whitepaper.pdf  \n",
       "72   panda-whitepaper.pdf  \n",
       "73   panda-whitepaper.pdf  \n",
       "74   panda-whitepaper.pdf  \n",
       "75   panda-whitepaper.pdf  \n",
       "76   panda-whitepaper.pdf  \n",
       "77   panda-whitepaper.pdf  \n",
       "78   panda-whitepaper.pdf  \n",
       "79   panda-whitepaper.pdf  \n",
       "80   panda-whitepaper.pdf  \n",
       "81   panda-whitepaper.pdf  \n",
       "82   panda-whitepaper.pdf  \n",
       "83   panda-whitepaper.pdf  \n",
       "84   panda-whitepaper.pdf  \n",
       "85   panda-whitepaper.pdf  \n",
       "86   panda-whitepaper.pdf  \n",
       "87   panda-whitepaper.pdf  \n",
       "88   panda-whitepaper.pdf  \n",
       "89   panda-whitepaper.pdf  \n",
       "90   panda-whitepaper.pdf  \n",
       "91   panda-whitepaper.pdf  \n",
       "92   panda-whitepaper.pdf  \n",
       "93   panda-whitepaper.pdf  \n",
       "94   panda-whitepaper.pdf  \n",
       "95   panda-whitepaper.pdf  \n",
       "96   panda-whitepaper.pdf  \n",
       "97   panda-whitepaper.pdf  \n",
       "98   panda-whitepaper.pdf  \n",
       "99   panda-whitepaper.pdf  \n",
       "100  panda-whitepaper.pdf  \n",
       "101  panda-whitepaper.pdf  \n",
       "102  panda-whitepaper.pdf  \n",
       "103  panda-whitepaper.pdf  \n",
       "104  panda-whitepaper.pdf  \n",
       "105  panda-whitepaper.pdf  \n",
       "106  panda-whitepaper.pdf  \n",
       "107  panda-whitepaper.pdf  \n",
       "108  panda-whitepaper.pdf  \n",
       "109  panda-whitepaper.pdf  \n",
       "110  panda-whitepaper.pdf  \n",
       "111  panda-whitepaper.pdf  \n",
       "112  panda-whitepaper.pdf  \n",
       "113  panda-whitepaper.pdf  \n",
       "114  panda-whitepaper.pdf  \n",
       "115  panda-whitepaper.pdf  \n",
       "116  panda-whitepaper.pdf  \n",
       "117  panda-whitepaper.pdf  \n",
       "118  panda-whitepaper.pdf  \n",
       "119  panda-whitepaper.pdf  \n",
       "120  panda-whitepaper.pdf  \n",
       "121  panda-whitepaper.pdf  \n",
       "122  panda-whitepaper.pdf  \n",
       "123  panda-whitepaper.pdf  \n",
       "124  panda-whitepaper.pdf  \n",
       "125  panda-whitepaper.pdf  \n",
       "126  panda-whitepaper.pdf  \n",
       "127  panda-whitepaper.pdf  \n",
       "128  panda-whitepaper.pdf  \n",
       "129  panda-whitepaper.pdf  \n",
       "130  panda-whitepaper.pdf  \n",
       "131  panda-whitepaper.pdf  \n",
       "132  panda-whitepaper.pdf  \n",
       "133  panda-whitepaper.pdf  \n",
       "134  panda-whitepaper.pdf  \n",
       "135  panda-whitepaper.pdf  \n",
       "136  panda-whitepaper.pdf  \n",
       "137  panda-whitepaper.pdf  \n",
       "138  panda-whitepaper.pdf  \n",
       "139  panda-whitepaper.pdf  \n",
       "140  panda-whitepaper.pdf  \n",
       "141  panda-whitepaper.pdf  \n",
       "142  panda-whitepaper.pdf  \n",
       "143  panda-whitepaper.pdf  \n",
       "144  panda-whitepaper.pdf  \n",
       "145  panda-whitepaper.pdf  \n",
       "146  panda-whitepaper.pdf  \n",
       "147  panda-whitepaper.pdf  \n",
       "148  panda-whitepaper.pdf  \n",
       "149  panda-whitepaper.pdf  \n",
       "150  panda-whitepaper.pdf  \n",
       "151  panda-whitepaper.pdf  \n",
       "152  panda-whitepaper.pdf  \n",
       "153  panda-whitepaper.pdf  \n",
       "154  panda-whitepaper.pdf  \n",
       "155  panda-whitepaper.pdf  \n",
       "156  panda-whitepaper.pdf  \n",
       "157  panda-whitepaper.pdf  \n",
       "158  panda-whitepaper.pdf  \n",
       "159  panda-whitepaper.pdf  \n",
       "160  panda-whitepaper.pdf  \n",
       "161  panda-whitepaper.pdf  \n",
       "162  panda-whitepaper.pdf  \n",
       "163  panda-whitepaper.pdf  \n",
       "164  panda-whitepaper.pdf  \n",
       "165  panda-whitepaper.pdf  \n",
       "166  panda-whitepaper.pdf  \n",
       "167  panda-whitepaper.pdf  \n",
       "168  panda-whitepaper.pdf  \n",
       "169  panda-whitepaper.pdf  \n",
       "170  panda-whitepaper.pdf  \n",
       "171  panda-whitepaper.pdf  \n",
       "172  panda-whitepaper.pdf  \n",
       "173  panda-whitepaper.pdf  \n",
       "174  panda-whitepaper.pdf  \n",
       "175  panda-whitepaper.pdf  \n",
       "176  panda-whitepaper.pdf  \n",
       "177  panda-whitepaper.pdf  \n",
       "178  panda-whitepaper.pdf  \n",
       "179  panda-whitepaper.pdf  \n",
       "180  panda-whitepaper.pdf  \n",
       "181  panda-whitepaper.pdf  \n",
       "182  panda-whitepaper.pdf  \n",
       "183  panda-whitepaper.pdf  \n",
       "184  panda-whitepaper.pdf  \n",
       "185  panda-whitepaper.pdf  \n",
       "186  panda-whitepaper.pdf  \n",
       "187  panda-whitepaper.pdf  \n",
       "188  panda-whitepaper.pdf  \n",
       "189  panda-whitepaper.pdf  \n",
       "190  panda-whitepaper.pdf  \n",
       "191  panda-whitepaper.pdf  \n",
       "192  panda-whitepaper.pdf  \n",
       "193  panda-whitepaper.pdf  \n",
       "194  panda-whitepaper.pdf  \n",
       "195  panda-whitepaper.pdf  \n",
       "196  panda-whitepaper.pdf  \n",
       "197  panda-whitepaper.pdf  \n",
       "198  panda-whitepaper.pdf  \n",
       "199  panda-whitepaper.pdf  \n",
       "200  panda-whitepaper.pdf  \n",
       "201  panda-whitepaper.pdf  \n",
       "202  panda-whitepaper.pdf  \n",
       "203  panda-whitepaper.pdf  \n",
       "204  panda-whitepaper.pdf  \n",
       "205  panda-whitepaper.pdf  \n",
       "206  panda-whitepaper.pdf  \n",
       "207  panda-whitepaper.pdf  \n",
       "208  panda-whitepaper.pdf  \n",
       "209  panda-whitepaper.pdf  \n",
       "210  panda-whitepaper.pdf  \n",
       "211  panda-whitepaper.pdf  \n",
       "212  panda-whitepaper.pdf  \n",
       "213  panda-whitepaper.pdf  \n",
       "214  panda-whitepaper.pdf  \n",
       "215  panda-whitepaper.pdf  \n",
       "216  panda-whitepaper.pdf  \n",
       "217  panda-whitepaper.pdf  \n",
       "218  panda-whitepaper.pdf  \n",
       "219  panda-whitepaper.pdf  \n",
       "220  panda-whitepaper.pdf  \n",
       "221  panda-whitepaper.pdf  \n",
       "222  panda-whitepaper.pdf  \n",
       "223  panda-whitepaper.pdf  \n",
       "224  panda-whitepaper.pdf  \n",
       "225  panda-whitepaper.pdf  "
      ]
     },
     "execution_count": 5,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "dfs = []\n",
    "for name, content in zip(upload.value, upload.data):\n",
    "    text = parse_text(name, io.BytesIO(content))\n",
    "    prediction_df = predict_document(text, threshold_selector.value, n_selector.value, stride_selector.value)\n",
    "    prediction_df['name'] = name\n",
    "    dfs.append(prediction_df)\n",
    "\n",
    "predicted = pd.concat(dfs).reset_index(drop=True)\n",
    "i = next(COUNT)\n",
    "output_file_name = f\"./output-{i}.json\"\n",
    "predicted.to_json(output_file_name, orient='table')\n",
    "\n",
    "predicted"
   ]
  }
 ],
 "metadata": {
  "accelerator": "GPU",
  "colab": {
   "gpuType": "T4",
   "provenance": []
  },
  "kernelspec": {
   "display_name": "Python 3 (ipykernel)",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.8.10"
  },
  "widgets": {
   "application/vnd.jupyter.widget-state+json": {
    "3115f30f09cb4f8b800cc921f7497922": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "498a84fba75b4cfda8874a6ff569721d": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "65d33d5c7fb14434b09bc3edfe650d29": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "BoundedIntTextModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "BoundedIntTextModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "IntTextView",
      "continuous_update": false,
      "description": "n value:",
      "description_tooltip": null,
      "disabled": false,
      "layout": "IPY_MODEL_9265f08085c14a33ac4e0ad3ef0d7cd6",
      "max": 100,
      "min": 0,
      "step": 1,
      "style": "IPY_MODEL_f0882d8483a4491ca93887a28d172cf1",
      "value": 13
     }
    },
    "74965934b984462fb2496f31515fa78b": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "ButtonStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "ButtonStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "button_color": null,
      "font_weight": ""
     }
    },
    "8ab2949cffca4b57916b0e3ffee0d690": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "8ae20efd21214242a6b421ce8412d0df": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "9265f08085c14a33ac4e0ad3ef0d7cd6": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "97e6cfd7c49a46a5a1dcc6f810c3972d": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "BoundedIntTextModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "BoundedIntTextModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "IntTextView",
      "continuous_update": false,
      "description": "stride size:",
      "description_tooltip": null,
      "disabled": false,
      "layout": "IPY_MODEL_498a84fba75b4cfda8874a6ff569721d",
      "max": 100,
      "min": 0,
      "step": 1,
      "style": "IPY_MODEL_8ae20efd21214242a6b421ce8412d0df",
      "value": 5
     }
    },
    "a0daf61775094d08b57392a22a065668": {
     "model_module": "@jupyter-widgets/base",
     "model_module_version": "1.2.0",
     "model_name": "LayoutModel",
     "state": {
      "_model_module": "@jupyter-widgets/base",
      "_model_module_version": "1.2.0",
      "_model_name": "LayoutModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "LayoutView",
      "align_content": null,
      "align_items": null,
      "align_self": null,
      "border": null,
      "bottom": null,
      "display": null,
      "flex": null,
      "flex_flow": null,
      "grid_area": null,
      "grid_auto_columns": null,
      "grid_auto_flow": null,
      "grid_auto_rows": null,
      "grid_column": null,
      "grid_gap": null,
      "grid_row": null,
      "grid_template_areas": null,
      "grid_template_columns": null,
      "grid_template_rows": null,
      "height": null,
      "justify_content": null,
      "justify_items": null,
      "left": null,
      "margin": null,
      "max_height": null,
      "max_width": null,
      "min_height": null,
      "min_width": null,
      "object_fit": null,
      "object_position": null,
      "order": null,
      "overflow": null,
      "overflow_x": null,
      "overflow_y": null,
      "padding": null,
      "right": null,
      "top": null,
      "visibility": null,
      "width": null
     }
    },
    "adcde6e91c784415b48e3d57a384a55f": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "BoundedFloatTextModel",
     "state": {
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "BoundedFloatTextModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "FloatTextView",
      "continuous_update": false,
      "description": "probability:",
      "description_tooltip": null,
      "disabled": false,
      "layout": "IPY_MODEL_8ab2949cffca4b57916b0e3ffee0d690",
      "max": 100,
      "min": 0,
      "step": 0.1,
      "style": "IPY_MODEL_3115f30f09cb4f8b800cc921f7497922",
      "value": 0.2
     }
    },
    "f0882d8483a4491ca93887a28d172cf1": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "DescriptionStyleModel",
     "state": {
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "DescriptionStyleModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/base",
      "_view_module_version": "1.2.0",
      "_view_name": "StyleView",
      "description_width": ""
     }
    },
    "f572b5925804434ba930673033b9cd22": {
     "model_module": "@jupyter-widgets/controls",
     "model_module_version": "1.5.0",
     "model_name": "FileUploadModel",
     "state": {
      "_counter": 1,
      "_dom_classes": [],
      "_model_module": "@jupyter-widgets/controls",
      "_model_module_version": "1.5.0",
      "_model_name": "FileUploadModel",
      "_view_count": null,
      "_view_module": "@jupyter-widgets/controls",
      "_view_module_version": "1.5.0",
      "_view_name": "FileUploadView",
      "accept": "",
      "button_style": "",
      "data": [
       null
      ],
      "description": "Upload",
      "description_tooltip": null,
      "disabled": false,
      "error": "",
      "icon": "upload",
      "layout": "IPY_MODEL_a0daf61775094d08b57392a22a065668",
      "metadata": [
       {
        "lastModified": 1689168242659,
        "name": "panda-whitepaper.pdf",
        "size": 367800,
        "type": "application/pdf"
       }
      ],
      "multiple": true,
      "style": "IPY_MODEL_74965934b984462fb2496f31515fa78b"
     }
    }
   }
  }
 },
 "nbformat": 4,
 "nbformat_minor": 5
}
